Author Archives: privacynewshighlights

06-13 December 2015

Big Data

WW – No, “Big Data” Can’t Predict the Future

The Bing teams are learning a lesson only Austrians and, more specifically, Misesian praxeologists, seem to be alone in grasping: that there are no constants in human action, and therefore that predictions of social phenomena are impossible. Pattern predictions, as Hayek called them, may not be impossible, but predictions of exact magnitudes are. For instance, we can rely on economic law (such as “demand curves slope downward”) to estimate an outcome such as “the price will be lower than it otherwise would have been,” but we can’t say exactly what that price will be. [Source]

HK – Hong Kong DPA Requires Data Subject Consent and DPA Authorization When Using Matching Procedures

The Privacy Commissioner for Personal Data (“PCPD”) issues guidance on matching procedures. Matching procedures cannot be carried out unless consent has been received from data subjects (voluntary express consent) and authorisation has been obtained from the DPA; the personal data collected for the procedure cannot be used for a new purpose (directly related or any other purpose) unless data subjects have given express consent. [PCPD Hong Kong – Information Leaflet – Matching Procedure – Some Common Questions]

Canada

CA – OPC Tables 2014-2015 Annual Report on Privacy Act

The Office of the Privacy Commissioner (OPC) of Canada’s 2014-2015 Privacy Act annual report was tabled by Parliament. Privacy Commissioner Daniel Therrien said the number of complaints to the OPC increased slightly during the fiscal year, totaling at 3,977. Therrien has identified four strategic privacy priorities for the next five years, including: the economics of personal information; reputation and privacy; government surveillance, and the body as information. [OPC Press Release] [Federal Government Must Do More to Prevent Breaches] [Globe&Mail: Therrien Wants “Exhaustive Debate” on Bill C-51]

CA – Alberta OIPC Annual Report: Breaches Doubled This Year

Alberta Privacy Commissioner Jill Clayton says she’s alarmed by a near doubling of privacy breaches as well as concerned about “the growing number of court challenges of her investigations.” In her annual report, Clayton said the number of self-reported breaches is up 86% this year compared with the last. Breaches reported include information contained on mobile devices that is not encrypted as well as snoopers spying on family, friends and neighbors. Clayton also said government challenges to her cases are costing taxpayers money and delaying results. [Calgary Herald] See also [A BC Information and Privacy Commissioner adjudicator said government bureaucrats have the right to refuse to disclose email logs and also that it’s unreasonable to release the data with personal information redacted.]

CA – Section 30.1 of BC Privacy Law “Hampering Innovations”

The trend toward storing data on servers anywhere and everywhere, rather than on drives kept physically on site, runs directly into a BC privacy law. It was written 11 years ago to safeguard against U.S. snooping that was allowed by the far-reaching USA Patriot Act. It gets reviewed every 5 years by a committee. Another review is underway, and members have heard an earful recently about how that privacy safeguard — Section 30.1 — hampers public agencies trying to do business in the interconnected world. “It erodes our competitiveness. It’s preventing us from using world-class tools that other universities use in other jurisdictions. It’s adding costs and administrative complexity” says University of B.C. lawyer Paul Hancock (who was representing the four research universities). The College of Registered Nurses has also weighed in on the question of why private bodies routinely handle B.C. citizens’ personal information outside of Canada, but public bodies are forbidden from doing so. [The Victoria Times Colonist]

CA – Ontario’s Bill 113 Passed, What Now?

Timothy Banks provides an overview of concerns about the Ontario Police Records Checks Reform Act, 2015. The Ontario legislature passed the bill last week, but prior to that the Standing Committee heard concerns from stakeholders including the Association of Children’s Aid Societies, the National Association of Professional Background Screeners, the Ontario Nonprofit Network and the Civil Liberties Association. Banks offers an overview of those concerns, where they landed and what the government needs to do to make the law operational. [Full Story] [Ontario Breach Notification Bill Gains Traction]

CA – Trudeau Government Omits Bill C-51 in Maiden Throne Speech

The Throne Speech does not specifically reiterate Trudeau’s vow to repeal or amend controversial provisions in anti-terrorism legislation passed by the previous Conservative government. Among other things, Trudeau has promised to create a multi-party parliamentary oversight committee to monitor the activities of departments and agencies with responsibility for national security. He has also promised to amend the legislation so that it’s clear that legal protests or advocacy can’t be construed as terrorist activities. In what is likely meant to be an indirect reference to those promises, the throne speech says only that “the government will continue to work to keep all Canadians safe, while at the same time protecting our cherished rights and freedoms.” [National Post] See also: [Why nobody should bet on Trudeau ‘fixing’ C-51]

Consumer

WW – Google Responds to EFF Complaint About Student Data Privacy

“The facts about student data privacy in Google Apps for Education and Chromebooks” responds to the Electronic Frontier Foundation (EFF) complaint regarding Google Apps for Education (GAFE) and other products and services especially Chrome Sync. “While we appreciate the EFF’s focus on student data privacy, we are confident that our tools comply with both the law and our promises, including the Student Privacy Pledge, which we signed earlier this year. …I want to reiterate some important facts about how our products work, how we keep students’ data private and secure, and our commitment to schools, more broadly… [Google Apps Blog]

US – 64% of Shoppers Will Say Bye Bye to Breached Business

Gemalto’s newest global survey entitled “Broken Trust: ‘Tis the Season to Be Wary,” found that 64% of respondents felt they were “unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen,” with 49% feeling that way regarding the loss of their personal information. “The media coverage of massive data breaches has done little to instill consumers’ confidence in how well companies, big and small, are protecting their data,” said Gemalto. “Either companies need to increase their security measures or, assuming that they already have these in place, they need to communicate this to their customers.” [Dark Reading]

WW – License Plate Readers Enter the Mainstream

OpenALPR boasts a cheap license plate reader (LPR) that interested shoppers can purchase online, and privacy advocates agree that the practice is legal. “There is not much in the law that would prevent someone from using the technology unless its use rises to the level of stalking or harassment,” said the Electronic Frontier Foundation. “License plates are exposed to public view, and ALPR companies like Vigilant consistently argue they have a First Amendment right to photograph plates and retain the data they collect.” [Ars Technica]

Electronic Records

US – How Electronic Health Records Are Harming Patients

EHRs are designed to support billing more than patient care, experts say. It shouldn’t come as a surprise that most doctors are unhappy with their electronic health record (EHR) systems, which tend to be clunky, hard to use and may actually get in the way of truly excellent patient care. Doctors’ biggest complaint about the EHR is that it slows them down, especially in the documentation phase. “Compared to handwriting or dictating, EHRs take doctors 9 times longer to enter the data… Sure, you have more information in the EHR than in paper records, but it takes more time.” Other alerts go off to prevent adverse drug interactions with other medications, allergies, or foods. Many of these are inapplicable to particular patients, and after a while, doctors may stop paying attention to them or turn them off. Three quarters of EHRs don’t allow the customization of these alerts. [Source]

Encryption

US – Comey Calls on Tech Companies Offering End-to-End Encryption to Reconsider “Their Business Model”

Comey and other government representatives have been pressuring companies like Apple and Google for many months in public hearings to find a way to provide law enforcement access to decrypted communications whenever there’s a lawful request. Deputy Attorney General Sally Quillian Yates said in a July hearing that some sort of mandate or legislation “may ultimately be necessary” to compel companies to comply, but insisted that wasn’t the DOJ’s desire. Now, there’s little pussyfooting about it. “There are plenty of companies today that provide secure services to their customers and still comply with court orders,” he said. “There are plenty of folks who make good phones who are able to unlock them in response to a court order. In fact, the makers of phones that today can’t be unlocked, a year ago they could be unlocked.” [The Intercept] SEE ALSO: [Senator Feinstein Working on Legislation to ‘Pierce’ Encryption] and [Don’t breach encryption warns privacy watcher] [How not to report on the encryption ‘debate’ ]and [Advocates and White House Officials Meet To Discuss Encryption Backdoors]

EU Developments

EU – First-Ever Breach Notification Law Passed in the EU

The European Union agreed to its first cybersecurity law, dubbed the Network and Information Security Directive (NISD), which mandates certain companies, like those operating critical infrastructure or financial services, along with Internet companies such as Amazon and Google, to report large-scale security incidents. “The internet knows no border—a problem in one country can have a knock-on effect in the rest of Europe,” said the European Commission’s Digital Chief, Andrus Ansip. “This is why we need EU-wide cybersecurity solutions. This agreement is an important step in this direction,” he added. “Member states will have to cooperate more on cybersecurity, which is even more important in light of the current security situation in Europe,” said European Parliament’s Rapporteur Andreas Schwab in a Computer Weekly report. [Reuters] [Hogan Lovells Summary: Agreement Reached on First EU-Wide Rules to Improve Cybersecurity]

A EU Parliament press release reports that the rapporteur on the general data protection regulation, Philipp Albrecht, is optimistic that the three-way trilogue discussions will result in a final deal by the end of 2015. Learn more

The European Data Protection Supervisor (“EDPS”) has established an external advisory group on the ethical dimensions of data protection; members of the Advisory Group will be appointed for a term from February 1, 2016 till January 31, 2018. Learn more

Facts & Stats

CA – City of Toronto Says You Need Permission to Photograph Your Own Kids in a Park or Outdoor Rink

A Star editor was not happy to be told on a trip to Colonel Sam Smith Skating Rink with his kids that he was allowed to take photos. The city says he technically needs permission, but staff are supposed to use discretion. Since at least 2001, the City of Toronto has had a policy stating:” Patrons wishing to use cameras, video cameras or other photographic devices, including camera phones and PDAs (Personal Digital Assistants), in any program or facility must receive permission from staff before filming. Pictures may only be taken of children/patrons in their personal care. Every attempt should be made to limit or eliminate other patrons from being filmed in the background. When possible staff should make a verbal request for permission to photograph other patrons who may be in the area where pictures are being taken” [Source]

Finance

WW – Data Privacy Concerns Hinder Mobile Payment Adoption

Identity theft, payment fraud and data privacy concerns remain the biggest barriers to mass adoption of mobile payment services, according to an Inside Secure survey of 1,217 American consumers. The survey revealed that 17% of respondents who did not make holiday purchases with their mobile phone last year, plan to use a payment service such as Apple Pay, Android Pay, Samsung Pay or a proprietary service from their bank or card issuer to make the leap to mobile payments this holiday season. Seventy percent of people who are not planning to use their smartphone to make in-store holiday purchases state that their concerns about identity theft prevent them from using in-store mobile payment applications. 70% state that their concerns about mobile payment fraud prevent them from using in-store mobile payment apps, and 71% stated that the privacy of their transaction data was a top concern.

FOI

UK – ICO Warns of Return to the ‘Dark Ages’ Upon Launches of FOI Review

The Information Commissioner’s Office praised the work of journalists and said the introduction of flat rate fees would be “disproportionate”. On protection given to “internal deliberations of public bodies”, the ICO said current exemptions under section 35 and 36 of the act are “sufficient”. Graham said: “The danger is that the Whitehall machine might run more smoothly, [but] you are back to that world of private government – which I just don’t think fits with the 21st century.” He also suggested Whitehall’s “concern” over the FoI Act is “slightly overdone”, saying a “very small minority” of cases that come to his office result in defeats for the Government. [Source]

Health / Medical

AB – Alberta OIPC Report Finds Health Department Flouts Privacy Law

The Alberta Office of the Information and Privacy Commissioner released an investigation report that found Alberta Health has failed to provide the required oversight to prevent privacy breaches involving electronic health records. The report found a legally-mandated committee charged with overseeing stewardship of data made available through Netcare was effectively disbanded two years ago. Netcare contains millions of records – including lab results, drug prescriptions and hospital discharge summaries – that can be accessed electronically by over 44,000 registered users in health care facilities and doctors offices around the province. [Source]

US – OCR’s Enforcement Efforts Focus on Big Breaches Over Small

Smaller healthcare breaches, like revealing Facebook statuses by doctors or the inappropriate sharing of patient files, rarely get the Office for Civil Rights’ (OCR) focused attention and enforcement efforts that large-scale breaches do. “Health providers are required to notify the office within 60 days of breaches affecting at least 500 people and also must share details with the media and contact those potentially affected.” “Rarely do small privacy breaches get anywhere near the same attention, except when they involve celebrities or high-profile individuals.” Tthis September, the Health and Human Services’ “inspector general issued a pair of reports that criticized [the OCR], including its handling of small breaches,” which found that the “OCR did not investigate the small breaches reported to it or log them in its tracking system.” [NPR]

WW – Survey: Healthcare Pros Unsure Data Sharing, Privacy Can be Reconciled

A Privacy Analytics survey of 271 healthcare professionals determined that more than two thirds of respondents lack confidence in their organizations to share data while protecting privacy. “Confidence in protecting privacy is correlated to an organization’s data management practices,” the survey states. “Respondents whose organizations use de-identification software or third-party de-identification services are more likely to have complete confidence in the ability to responsibly share data for secondary use.” Meanwhile, a CIO Summit survey discovered that “board and leadership involvement is essential in creating the right solutions and strategies for healthcare organizations.” [HealthITSecurity]

WW – OTA Releases Checklist on Smart Device Safety

The Online Trust Alliance (OTA) has released a checklist aiming to help consumers avoid getting hacked as they use any of the 50 million smart devices that will be sold over the holiday season.” That’s 50 million opportunities for data and home network compromises as well as privacy abuses, which is why it’s imperative that consumers follow our guidelines,” said OTA executive director and president. “Consumers should not have to pay twice—once with their credit card and then again in perpetuity with their personal data, identity and safety.” The checklist can be found here. [NetworkedWorld]

WW – Mental Health Apps on the Rise, But What About Privacy?

Scientific American reports on the increase in mental healthcare apps and the privacy concerns that come along with such sensitive data collection. New mobile devices help users diagnose and monitor mental health symptoms, but in order to do so, such technology needs to passively gather constant streams of personal data—including sleep patterns and physical activity. In addition to an alleged lack of evidence-based research proving mental health apps are working, there is also concern that privacy is not appropriately protected. A task force set up earlier this year by the American Psychiatric Association noted, “This is a challenging task given the lack of clinical data on how apps can help or harm patients, serious concerns about privacy and data security and the need for more discussion on related ethical issues.” [Scientific American] In 2013, a study in the JMIR mHealth uHealth, revealed that only five apps targeting depression, anxiety and substance abuse had been tested for clinical effectiveness. A similar study this May in Internet Interventions showed that by last November there were only 10 peer-reviewed published articles for depression apps, and four for bipolar disorder.

Horror Stories

US – University Medical Center Agrees to Pay $15,000 for Breach of Patient Information

An employee of the center provided a list of patient information (names, addresses and diagnoses) to her future employer. The agreement requires the center to provide to the Attorney General its privacy, security and breach notification policies and procedures and notification of any breach of unsecured PHI; all staff must be trained on any new or revised policies and procedures. [New York State Office of the Attorney General – A.G. Schneiderman Announces Settlement With University Of Rochester To Prevent Future Patient Privacy Breaches | Press Release | Settlement Agreement]

US – Moms Sue Mattel Over Talking Barbie

Two mothers have filed a class-action against Mattel claiming the company’s Hello Barbie doll “invades children’s privacy.” The doll uses speech recognition software to talk to kids and then stores the conversations in the cloud, the report states. Users must register the doll and create an account, at which point parents receive an e-mail stating recordings won’t be used for ads and any personal information collected in conversation will be deleted. The plaintiffs say the doll doesn’t comply with the Children’s Online Privacy Protection Act (COPPA) in part because children across the country, friends of doll-owners, have been recorded without their parents’ permission. [Full Story]

Internet / WWW

WW – Support for Old Internet Explorer Sunsets

After January 12, 2016, Microsoft will no longer provide updates for older versions of Internet Explorer (IE). One estimate suggests that as many as 124 million users are running Internet Explorer versions 10 and earlier. The only version of IE that will continue to receive updates after January 12, 2016 is IE 11. [Microsoft] [ZDNet]

WW – Windows XP Embedded Extended Support Expires Next Month

Microsoft is scheduled to end Extended Support Windows XP Embedded, which is still running on many of the UK’s 70,000 cash machines. ATM owners are urged to upgrade their systems prior to January 12, 2016, after which time Microsoft will no longer provide updates. [v3.co.uk]

Privacy (US)

WW – Top Privacy Stories for 2016: US-EU Transfers, Cybersecurity, and Government Surveillance

Organisations should monitor the following topics in 2016 – Safe harbor 2.0 (may depend on the outcome of the Judicial Redress Bill which is currently before the Senate) and the Network Information Security Directive (“NISD”) which is to be published in 2016 by the European Commission (it will require organisations to take appropriate technical and organisational measures to manage risks posed to the security of networks and report “significant cyber security incidents” to regulators). [Source]

US – Multinational Hotel Chain Must Maintain Detailed Security and Audit Program as Part of 20-Year Settlement Agreement with FTC

The FTC is granted an injunction against Wyndham Hotel Group in relation to alleged unfair and deceptive security practices in violation of the FTC Act. The FTC had filed a lawsuit against Wyndham in 2012 alleging unfair acts or practices related to a security breach. The chain is required to implement and maintain a comprehensive security program (e.g. appointing an individual(s) responsible for the program and conducting risk assessments); a written assessment of the chain’s compliance with the approved standard (defined as PCI DSS or a comparable standard submitted by the chain and approved by the FTC) must be conducted by a qualified and independent third party assessor annually, and within 180 days of a breach of more than 10,000 unique payment card numbers. [FTC v. Wyndham Worldwide Corporation, et al. – Stipulated Order for Injunction – United States District Court For The District Of New Jersey]

US – FTC Explains How Their Enforcement Practices Differ from the FCC

The FCC reclassified broadband as a Title II common carrier service and as a result, the FTC’s jurisdiction over ISP practices is limited; the FTC is concerned that what appears to be a “strict liability” data security standard will actually harm consumers since the costs imposed by a regulator on a legitimate, non-fraudulent company are ultimately born by its consumers (a recent Order by FCC fined an ISP $595,000 when there was no evidence of any consumer harm). [Source]

US – Class Action Lawsuit Alleges Smart TV Manufacturer’s Tracking Software Surreptitiously Collects and Discloses Users’ Viewing Habits

A class action lawsuit filed against Vizio, a smart TV manufacturer, and Cognitive Media Networks, a tracking technology company, (collectively, the “Defendants”) alleges violations of the Video Privacy Protection Act (“VPPA”) and various California laws. [Palma Reed et al. v. Cognitive Media Networks, Inc. and Vizio, Inc. – Class Action Complaint and Demand for Jury Trial – In the United States Court For The Northern District Of California San Francisco Division]

US – Advocacy Group Says All Drones Should be Registered and All Operating Drones Should Have GPS Tracking

An advocacy group submits comments in response to the Federal Aviation Administration (“FAA”)’s request for public comments on drone registration requirements. The FAA should mandate registration for all drones (regardless of size) and require any drone operating in national airspace to include a GPS tracking feature that would always broadcast the owner identifying information; the registration database of commercial operators should be publicly available, but privacy protections should be implemented for hobbyist operators (restricting the use and release of their information for specific purposes).[Comments to the U.S. Department of Transportation, Federal Aviation Administration – Clarification of the Applicability of Aircraft Registration Requirements for Unmanned Aircraft Systems (UAS) and Request for Information Regarding Electronic Registration for UAS – Electronic Privacy Information Center]

Privacy Enhancing Technologies (PETs)

WW – New Privacy-as-a-Service Cloud Tech Unveiled

New technology released this week purports to protect the privacy of users by providing “invisible connections and invisible computers.” Dispel CEO said “We have built an engine that allows us to dynamically generate unattributable, encrypted and ephemeral infrastructure using multiple cloud providers.” The system connects a user’s device to Dispel’s network in a way that does not reveal the user’s identity, location or content. “We are a totally new proprietary technology …There are no fixed network targets and nothing is publicly listed, so users don’t need to trust a random stranger.” [eWeek]

WW – File-Sharing Data in the Cloud Sheds Privacy Light

Cloud provider Skyhigh took stock of 500 companies it serves, finding that 39% of cloud-sent “corporate data” finds its way to file-sharing applications. However, “worryingly from a data security perspective, the average organization shares documents with 826 external domains, which includes business partners and personal email addresses,” the report states, adding that 9.2% of data shared externally includes delicate information. “While there are a lot of numbers in here, there are some patterns that will either be of concern (if you’re a security-conscious CIO within a highly regulated industry) or positive (if you’re involved with a cloud file sharing solution provider),” the report continues. “Either way, surfacing this sort of data helps everyone plan and react to what is going to be a continuing pattern of use.” [Computerworld]

RFID / Internet of Things

CA – Canadian Regulation Should Accord with International Approaches

A law firm discusses the regulation of and the Canadian approach to the Internet of Things (“IoT”). Regulations that are not in line with international approaches can lead to increased regulatory compliance costs to enter the Canadian market and increased barriers to Canadian companies entering global markets; suggested practices issued by the US FTC include data minimization, prioritization of building security into devices, adequately training employees, monitoring devices and reporting security breaches to consumers. [The Internet of Things – Guidance Regulation and the Canadian Approach – Kirsten Thompson and Brandon Mattalo – McCarthy Tetrault]

Security

WW – Majority of 2015 Breaches Due to Employee Error: Global Survey

A cybersecurity report released by the Association of Corporate Counsel has found the most common reason for a data breach at companies is employee error. The report surveyed more than 1,000 in-house lawyers in 30 countries and found 30% of breaches in 2015 were the result of employee error,. Other causes included unauthorized access to data by insiders and phishing attacks. 50% said their company has cyber insurance, with 68% reporting coverage of $1 million or more. [Wall Street Journal]

WW – Ransom Paid By Police and Law Firms to Hackers: Expert

The president of the Privacy and Access Council of Canada says it’s not just individuals and small businesses who are shelling out to hackers who infect their computers with viruses. “Police departments and law firms are very, very attractive targets and they pay quite often,” said Sharon Polsky, a Calgary data protection and privacy expert. “If it’s worth it to them to regain control of their information, absolutely they’re going to pay it,” she said. [CBC]

Surveillance

US – FBI Official Says the Agency Uses Zero-Days, StingRays

FBI executive assistant director for science and technology Amy Hess acknowledged that her agency uses zero-day vulnerabilities in the course of its investigations. Hess also said that the FBI has never issued a gag order to police regarding the use of cell-site simulator technology, often referred to as StingRay. What the FBI does not want disclosed are the “engineering schematics,” or technical details about how the device works. [Washington Post] [ArsTechnica] SEE ALSO: [Feds Ordered to Disclose Data About Wiretap Backdoors] [Judge prods FBI over future Internet surveillance plans]

US – Federal Judge Orders Justic Department to Disclose Wiretap Program Info

A federal judge is ordering the Justice Department to disclose more information about its so-called “Going Dark” program, an initiative to extend its ability to wiretap virtually all forms of electronic communications. The ruling by U.S. District Judge Richard Seeborg of San Francisco concerns the Communications Assistance for Law Enforcement Act, or CALEA.

UK – UK’s Surveillance Camera Commissioner Issues First Annual Report

Report deals with video surveillance cameras, body worn cameras, Automated Number Plate Recognition. [Report]

WW – U.N. Calls for ‘Anti-Terror’ Internet Surveillance

A United Nations report calls calls for Internet surveillance, saying lack of “internationally agreed framework for retention of data” is a problem, as are open Wi-Fi networks in airports, cafes, and libraries. The United Nations is calling for more surveillance of Internet users, saying it would help to investigate and prosecute terrorists. A 148-page report titled “The Use of the Internet for Terrorist Purposes” warns that terrorists are using social networks and other sharing sites including Facebook, Twitter, YouTube, and Dropbox, to spread “propaganda.” The report, released at a conference in Vienna convened by UNODC, concludes that “one of the major problems confronting all law enforcement agencies is the lack of an internationally agreed framework for retention of data held by ISPs.” Europe, but not the U.S. or most other nations, has enacted a mandatory data-retention law. [CNET]

US Government Programs

US – OPM IG Report Found the Agency Dropped the Ball

The Office of Personnel Management’s (OPM) Inspector General (IG) publicly released its report this week, which found the agency improperly handled how it awarded its contract to the company responsible for the first round of data breach notifications, prompting House Overisght Committee Chairman Jason Chaffetz (R-UT) to call for the resignation of OPM Chief Information Officer Donna Seymour. “I write once again to augment my concerns that Ms. Donna Seymour … is unfit to perform the significant duties for which she is responsible,” he said. “It is troubling that yet another IG report has found that Ms. Seymour failed to effectively fulfill her duties.” According to the IG, the agency’s contractual agreement with vendor CSID violated federal contracting regulations in five ways, including inadequate market research and unreliable contract file. [CNN]

US Legislation

US – Librarians and Privacy Advocates Ally to Condemn Cybersecurity Bill

The American Library Association, the world’s oldest and largest library affiliation, has joined with 18 other groups to issue a letter to the White House and Congress urging lawmakers to oppose the final version of a bill they claim will dramatically expand government surveillance while failing to tackle cyber-attacks. Politicians from both sides of the House have been pushing for stronger cybersecurity measures in the wake of the Paris attacks and the recent San Bernardino shooting. Republican House speaker Paul Ryan has been leading the charge to push through legislation and reconcile two bills, the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement with the Cybersecurity Information Sharing Act of 2015 (CISA), a controversial bill that passed a Senate vote in October. According to the letter’s signatories, the proposed “conference” legislation would:

  • Create a loophole that would allow the president to remove the Department of Homeland Security, a civilian agency, as the lead government entity managing information sharing.
  • Reduce privacy protections for Americans’ personal information.
  • Overexpand the term “cyber threat” to facilitate the prosecution of crimes unrelated to cybersecurity.
  • Expand already broad liability protection for information disclosure.
  • Pre-empt state, local or tribal disclosure laws on any cyber-threat information shared by or with a state, tribal or local government.
  • Eliminate a directive to ensure data integrity.

Moreover, they argue, the legislation would dramatically expand the amount of sensitive information held “by government agencies with dismal records on data security” and institute “blind, automatic transfer of personal information to intelligence agencies, including the National Security Agency, that would be authorized to use the information for non­-cybersecurity purposes.” [The Guardan]

US – Student Privacy Laws Are On the Rise

Student data privacy legislation has been on a tear recently. At the state level this year, 47 states have introduced 186 bills addressing student data privacy, and 15 states passed 28 new laws. Much of the legislation is modeled on California’s landmark Student Online Personal Information Protection Act, effective January 1. Both the U.S. Senate and the House have responded to President Barack Obama’s call for enhancing student data safeguards under the Family Educational Rights and Privacy Act with new legislative proposals. If there’s one privacy goal that commands widespread political support, it’s the protection of student data. But protection from what? [IAPP News] [Data Quality Campaign]

Workplace Privacy

WW – Questions to Consider When Monitoring Employees

There has been an increase in available technology to help organizations better monitor their employees to help protect their property and assets. Any time a business engages in employee monitoring, they also risk alienating their employees or even running afoul of state or federal law. But what kinds of questions should organizations be asking when deciding to track and monitor their workforce? This article looks into an array of monitoring techniques and lays out the types of questions privacy pros should consider when engaging in this important, but potentially controversial, activity. [Full Story]

+++

 

 

26 Nov – 06 Dec 2015

Big Data

WW – Smarter Cities Will be based on Open Data, says Expert

Imagine a world where the smart meters used to record and manage energy consumption in homes are used by health care providers to monitor outpatients, or where information recorded by traffic cameras or road sensors is used to help people plan their journeys more efficiently. Regardless of the model being adopted, the success of smarter cities will depend on the liberalisation of data that has been traditionally locked into individual bits of infrastructure. Freeing up that data, and using software to manipulate the information for wider use, will deliver benefits like smarter energy consumption, transportation, city planning and health care in cities. [Out-Law]

WW – Most Businesses Collecting Data They Never Use, Survey Finds

Most companies in the UK, France and Germany collect data they never use, according to a new survey. 22% of respondents admitted that they often collect data that they never end up using, whilst half of those surveyed said it “happens occasionally.” Just over a quarter of respondents (26%) said they always use the data they collect. A lack of internal skills, cost, the time consuming nature of data processing and a lack of “proper data processing tools” were all cited as reasons why organisations do not “fully process” the data at their disposal. In an opinion issued on data protection and the internet of things (IoT) last year, EU privacy watchdog the Article 29 Working Party warned businesses that collect personal data that is not necessary for the purposes they wish to pursue on the hope that they will find a use for it in future that they could be found in breach of EU data protection laws. [Out-Law] SEE ALSO: [Big Data to Become a Big Asset at Deutsche Bank] and [How to Keep Your Customers’ Trust While Collecting and Learning From Their Data] and [The Internet of Things: Guidance, Regulation and the Canadian Approach] and also [Nielsen study on Information Security for Small and Medium Enterprises recently commissioned by Chartered Professional Accountants of Canada]

Canada

CA – BC Commissioner Recommends FIPPA Amendments

B.C.’s FIPPA should be amended to require public bodies to have a comprehensive privacy management program (including privacy training and a FIPPA complaints process), require notification of a breach to individuals and the OIPC that would cause significant harm; the current OIPC’s complaint process and review and inquiry process should be streamlined into one process, and the penalties for offences under FIPPA should be raised to a maximum of $50,000 for both general and privacy offences. Other recommendations include requirements for public bodies to document key actions and decisions, to apply de-identification methods to public data sets, correct PI when an individual requests it, amend definitions of “data-linking,” “advice” vs “recommendations” and to enact new comprehensive health information laws. [OIPC BC – Submission to the Special Committee to Review the Freedom of Information and Protection of Privacy Act] [Press Release] [Speech]

CA – BC Supreme Court Rules OIPC Has Responsibility for Breach Remedies

The Supreme Court heard an appeal and cross-appeal of an appellant’s claim of breach of privacy by an employee of the Insurance Corporation of BC. At issue were claims for vicarious liability for breach of privacy, and for negligent breach of a statutory duty. According to the ruling, the BC FIPPA provides a comprehensive complaint and remedy procedure for public bodies that fail to protect personal information; the Commissioner has supervisory responsibility over the adequacy of a public body’s informational security arrangements, can investigate and attempt to resolve complaints and has ordering powers. [Ari v Insurance Corporation of British Columbia – Court of Appeal for British Columbia – 2015 BCCA 468 CanLII] See also: [Quebec Privacy Commission Encourages Organisation to Report Security Incidents [Press Release (French)] [Security Incident Reporting Form (French) ]

Consumer

WW – Growing up Cyber: Generation Z and Online Privacy

A new study analyses where Generation Z excel in privacy but may need a friendly nudge in the right direction, examining passwords, messaging apps, cybercrime and social media privacy, noting Generation Z became experts in adjusting their privacy settings for fear of embarrassing baby pictures popping up on their friends’ newsfeeds, and are well versed in how to hide information and what to do when something just doesn’t feel right. Case in point, 74% of teen social media users have deleted people from their networks. [Source]

E-Government

US – New Federal Council Will Hone in On Data Privacy Issues

The Office of Management and Budget is creating a new Federal Privacy Council to make policy recommendations, establish best practices and foster a community of privacy professionals within the federal government. The Privacy Council will be modeled off the Federal CIO Council — a group of agency CIOs that work together to advise on IT priorities. The new council will form in early 2016. [Source] SEE ALSO: [OPM Just Now Figured Out How Much Data It Owns: T he Atlantic] See also: [Lessons learned from the Adobe data breach]

Encryption

WW – Free Encryption Certificates Now Available to Public

The Let’s Encrypt project is now offering free TLS certificates to the general public. The project, which is run by the Internet Security Research Group, initially ran a trial for a small group of volunteers earlier this fall. The certificates are trusted by all major browsers. [The Register]

WW – Blackberry to Leave Pakistan Over Government Access Demands

BlackBerry has announced it will no longer operate in Pakistan because of local government demands for access to communications. The government wanted access to all Blackberry Enterprise Service (BES) traffic in the country, including all BES emails and messages. “We do not support ‘back doors’ granting open access to our customers’ information and have never done this anywhere in the world,” wrote BlackBerry Chief Operating Officer. [Computerworld]

WW – Dell Installs Root Certificates on Laptops, Endangers Users’ Privacy

Users are reporting that some Dell laptops sold recently come preloaded with a self-signed root digital certificate that lets attackers sniff traffic to any secure website. “If I were a black-hat hacker, I’d immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone’s encrypted communications,” said the CEO of a major security firm. “I suggest ‘international first class,’ because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking.” [PC Advisor] SEE ALSO: [Millions of Internet Things are “secured” by the same “private” keys]

EU Developments

EU – Report Argues Greater Role for DPAs in Supervising Intelligence Agencies

According to a new report by the European Union Agency for Fundamental Rights, there is no consistency in EU Member States’ oversight systems with relation to intelligence services (e.g. in almost half of all Member States DPAs have no competence over intelligence services), and there are gaps between DPAs and oversight bodies; in almost 1/3 of Member States there is no law providing for the obligation to inform and the right of access. [Surveillance by Intelligence Agencies: Fundamental Rights, Safeguards and Remedies in the European Union] [Summary] [EU wants to give national privacy regulators more clout in new U.S. data pact] SEE ALSO: [EU Member States Agree Higher Fines for Firms For Privacy Violations]

EU – Officials Pressing Tech Companies for More Access

E.U. officials want the large U.S.-based technology companies to work with them in providing more access to user data to help fight terrorism. Companies including Facebook, Twitter, Microsoft, Apple and Alphabet’s Google reportedly met with government and law-enforcement officials from the EU to talk about ways of cooperating to fight terrorism. One meeting in Paris with the French PM focused on finding ways to quickly remove propaganda from social networks, but another focus for EU officials was on finding ways to include so-called back doors into encrypted services.” [The Wall Street Journal ]

UK – Snooper’s Charter: Privacy Groups Challenge Controversial Bill

Security experts, civil liberty groups and technology organisations have pushed back against key sections of the recently revealed Investigatory Powers Bill in 46 separate written submissions to the government. Now, as the bill faces increasing scrutiny, V3 has analysed the submissions sent to the Science and Technology Committee to pick out the key arguments, finding strong opposition to approaches on encryption, bulk surveillance and hacking. [Source]

EU – EU-Based Cloud Aims to Solve Safe Harbor Data-Storage Conundrum

European cloud provider Zettabox launched its Zettabox Euro Harbor service, which is geared toward helping U.S. companies comply with post-Safe Harbor data storage. The new service aims to allow companies acting as data controllers and operating in Europe to store their clients’ data in the EU in one of 10 European data centers, offering reassurance to EU customers and regulators that U.S. law enforcement and intelligence services can’t legally access the data stored in such servers. [TechWeek]

EU – “Privacy Bridges” Proposals at Amsterdam Commissioners’ Conference

19 renowned privacy experts from the US and the EU have developed ten practical proposals to increase the transatlantic level of protection of personal data. Most proposals can be implemented within existing different legal systems and are applicable worldwide. It concerns pragmatic bridges that benefit people, companies, governments and supervisory authorities. The experts present their report at the International Privacy Conference at the end of October in Amsterdam. Their paper is now available. [Privacy Conference 2015] [EU-U.S. Privacy Bridges]

UK – ICO Announces Search for Successor

The ICO announced that it is in need of a successor to head Christopher Graham. The job listing notes, “This is a demanding and high profile role as a key UK regulator. The successful candidate will be an outstanding individual with a strong professional track record who is able to take and defend difficult decisions, to win the confidence of a wide range of stakeholders from all sectors and to act as the public face of the organization at a domestic and international level.” The office is based in Wilmslow, Cheshire, with three regional offices, and employs roughly 400. The appointment is for five years. [Press Release]

Facts & Stats

WW – Google Releases Right To Be Forgotten Statistics

Google’s most recent Transparency Report reveals that the search engine took stock of 1.2 million webpages in its right-to-be-forgotten evaluations, eradicating 42% of problematic links, the majority of which were Facebook-borne. “Google doesn’t explain in its data why it removes some links and keeps others,” the report states. “But it dropped clues signaling it takes into account whether someone is a public or private figure, whether it considers crimes to be minor, and whether embarrassing incidents took place during a person’s private or professional life.” The countries with the highest number of requests? France and Germany. [The Wall Street Journal] [Facebook tops Google’s list of domains for ‘right to be forgotten’ requests]

CA – Data Breaches Costs Canadian Companies $250 per Record

IBM partnered with the Ponemon Institute to examine the cost of data breaches in Canada. Twenty-one companies participated in the study, which found that the average per capita cost of a data breach is $250 and the average total organizational cost is $5.32-million. The industries with a per capita data breach of substantially more than $250 were financial, services, technology and energy. Public sector, education and consumer organizations had a per capita cost well below the overall mean value.” [Globe & Mail]

Finance

WW – PCI SCC Explains How to Respond to a Breach

The Payment Cards Industry Security Standards Council (PCI SSC) published a three-page guide titled Responding to a Data Breach that articulates its position on the correct response to a security incident at a merchant location where the attack exposed cardholder data. This guidance highlights some of the difficulties in developing proper response procedures, specifically the challenges in mapping out complete, thorough procedures that actually hold up under the stress of an actual incident [IAPP]

FOI

CA – Liberal Transparency Reforms Subject to ‘Review’ Next Year

Trudeau has pressed for reform of access to information since 2014, but nothing is planned for 2015. The Liberal government quickly implemented some key policies, including the removal of a gag order on government scientists, shutting down a court case about niqabs at citizenship ceremonies and ramping up Syrian refugee processing. But there has been no directive from the top about releasing more documents under freedom-of-information law, a move the U.S. president made on his first day in office. [CBC]

US – FTC goes ‘Star Chamber’ on Warrant Transparency

Nobody knows how many administrative subpoenas are issued by government agencies. Administrative subpoenas are warrants for records such as private “papers” and emails. They are issued unilaterally by government bureaucrats and are impossible to reconcile with the Fourth Amendment’s requirements of “oath and affirmation” of “probable cause” before neutral judges. Watson and The Daily Caller News Foundation have been issued multiple FOIA requests to various government agencies to get a sense of how many of these subpoenas are issued. [Source]

UK – ICO Guidance for Removing PI When Responding to Access Requests

The UK Office of the Information Commissioner published guidance on how to disclose information safely when responding to information requests. Organisations should control access to files containing personal data and use specific software to permanently redact information intended for release in an electronic format; when considering disclosure of files, organisations should consider if the file contains linked data, meta-data or comments that should be removed. [ICO UK How to Disclose Information Safely – Removing Personal Data from Information Requests and Databases]

Genetics

CA – Supreme Court Zeroes in on Penile Swabs

The clash between the privacy rights of a criminal suspect and the powers of police is once again before the Supreme Court. This time the court must decide whether police are permitted to force an individual suspected of committing a sexual assault to provide a genital swab for the purposes of obtaining DNA evidence. The trial judge found that the search (leading to a match) was unreasonable but admitted the evidence under s. 24(2) of the Charter. A majority of the Alberta Court of Appeal found that a warrant should have been obtained first, yet it also upheld the conviction under s. 24(2). The other judge on the panel found that this was a legitimate search incident to arrest under the common law powers of police and a warrant was not necessary. Whether a genital swab without a warrant is appropriate should be governed by the same test the Supreme Court set out in R. v. Golden for strip searches according to the Alberta Crown and the Ontario Ministry of the Attorney General, which is an intervener. A genital swab is no different than a test for gunshot residue on a suspect and it is not an intrusion on bodily integrity. [Law Times]

Health / Medical

US – ONC Issues Guidance on PHRs

A report prepared for the Office of the National Coordinator for Health IT provides practical and useful guidance to Health Information Exchange (“HIE”) organizations who are interested in designing and implementing a Personal Health Record (“PHR”) as part of their portfolio of services. [Final Report: HIEs and Personal Health Records Community of Practice: Key Considerations for HIE-based Personal Health Records]

US – White House Issues Medical Guidelines and Funding Opportunities

The White House released the Precision Medicine Initiative (PMI) Privacy and Trust Principles, aimed at building patient trust and protecting patient privacy for precision medicine-related activities last month, as the National Institutes of Health (NIH) announced the availability of $72 million in PMI-related funding opportunities for fiscal year 2016. A Security Policy Framework that will help ensure that security is built into the foundation of the PMI is in development. [Hogan and Lovells]

US – HIPAA Questions Portal a Hit

Some healthcare providers are pleased with the U.S. Department of Health and Human Services’ nascent HIPAA Questions Portal as use of the tool grows. The system allows those in the field to pose questions to HIPAA experts, thus avoiding breaches of protocol. Meanwhile, privacy concerns regarding the app dubbed “the Instagram for doctors” abound. [iMedicalApps]

Horror Stories

US – Toymaker Breach Affects Six Million Children, 4 Million Adults

Toymaker VTech announced the attack on its Learning Lodge app store and Kid Connect messaging system databases exposed the data of 6.4 million children and 4.9 million adults. The largest percent of those affected were in the U.S., with France, the UK, Germany and Canada all in the top five. The stolen data on children included name, gender and birth date; and from adults, name, mailing address, email address, password retrieval questions, IP address and passwords. [The Register] [Washington Post] [Bloomberg] [The Wall Street Journal: VTech Begins Breach Clean-Up] [Reuters] See also: [VTech Hacker Explains Why He Hacked the Toy Company ]

Identity Issues

US – Concerns Over ID Protection Overlook Dangers of Inference

The IAPP VP of Research and Education discusses the debate surrounding de-identification. The discussion thus far has generally focused on protecting identity, but that’s distracted policymakers from a central privacy problem in this age of big data, “the ability of organizations to draw highly sensitive conclusions about you without exposing your identity, by mining information about ‘people like you,’” he writes. As such, the main privacy issue isn’t identity, but inference, because even without identification, “machine-made inferences pose risks to societal values of privacy, fairness and equality.” [Yale Journal of Law & Technology] SEE ALSO: [How Dynamic Data De-Identification Is a Bridge to the Future]

CA – Yukon IPC: Health Numbers, Cards Unsuited for Secondary Purposes, Uses

The Yukon Info & Privacy Commissioner issued comments on the Dep’t of Health and Human Services’ proposed development of regulations under the Health Information Privacy and Management Act  The proposed regulations would allow other uses of health cards for government and non-government programs and services; this presents significant risks, public bodies do not have privacy management programs in place and non-governmental organizations that may use the cards may not be subject to any privacy laws. [Health Information Privacy and Management Act Public Consultation – IPC Comments]

US – Woman’s Ex Used ID-Theft Service to Track Her

An Arizona woman says her ex-husband was able to track her financial movements using an identity-theft protection company after he used her Social Security number to open a bogus account in her name at LifeLock, allowing him to receive alerts and emails when the woman applied for credit cards, leased a car and opened a bank account. “He knew everything I did,” she said. [USA Today]

Law Enforcement

ON – Mental Health, Carding Records No Longer Disclosed by Police

A new Ontario law mandates that police first disclose the results of a record check to the person who is the subject of those records, then that person would have to provide written consent for police to disclose the information to the third party that requested the check. The Liberal government introduced the act after stories emerged of people being stopped at the U.S. border after records of suicide attempts were disclosed and people being prevented from volunteering because they witnessed a crime. This legislation does not cover information sharing between police agencies, so it may not prevent mental health records being used to turn people away at the border. [City News]

CA – RCMP Unveils Plan to Tackle Cybercrime

The RCMP published its Cybercrime Strategy setting out objectives, strategic enablers and 15 actions items to be implemented over the next 5 years. The Mounties’ strategy is designed to tackle technology-based crime that is increasingly moving beyond their ability to investigate because of advanced encryption, the global reach of crime and enhanced privacy protections. Missing in the RCMP report — and the broader debate about privacy versus public safety in Canada — is comprehensive data from police detailing the scope of the problem. [Source] See also: [‘We can’t protect public from cyber crimes’: RCMP boss] [RCMP need warrantless access to online subscriber info: Paulson] [The RCMP wants more online surveillance power. We should say no] [Once again, the RCMP calls for warrantless access to your online info. Once again, the RCMP is wrong]

US – LA Considers Notifying Potential Johns They’re Being Watched

L.A. City Council wants to tackle prostitution by sending “Dear John” letters to the homes of any drivers who linger in the area by taking note of their license plates. Critics call the move “stigmatic” for neighbors, while arguing that some cars, like garbage trucks, aren’t necessarily in the neighborhood for company. Displeasure with being surveilled seems to be the biggest concern, however. “Registered owners will know the city is watching your every move and notifying you of it,” said a commenter at a public hearing on the motion. “If Hitler were here, he would applaud you today,” adding in no uncertain terms that he felt the proposal to be “fascism on steroids.” [fusion.net]

Location

EU – CNIL Identifies When Employees Work Vehicles Can Be Tracked

France’s Commission nationale de l’informatique et des libertés (“CNIL”) published guidelines on geolocation tracking in vehicles. Geolocation devices can be installed on employee vehicles to monitor and charge for a transport service (such as ambulance in the context of billing the health insurance company), for security of employees (e.g., a commercial truck carrying merchandise of great value), and to improve the allocation of resources (e.g., identify the ambulance closest to an accident); geolocation devices cannot be installed to monitor compliance with speed limits. [CNIL Guidelines for the Use of Geolocation Tracking of Employees (French) ]

Online Privacy

WW – Cross-Device Tracking Raises Consumer Awareness Concerns

At a workshop on cross-device tracking, the FTC Chairwoman described the uses of probabilistic models, which make inferences on information over which the user has no control such as shared IP addresses or location information when 2 devices are consistently used together in the same household. This type of tracking raises transparency issues (it employs persistent identifiers), and there are almost no tools that tell consumers which devices are linked together or to them or that allow them to opt-out of the linking of the identifiers. [FTC – Remarks of FTC Chairwoman Edith Ramirez at FTC Workshop on Cross-Device Tracking] See also: [FTC Guidance is Needed for Cross-Device Tracking – CDT] See also: [TD Visa customers’ browsing activities open to ‘surveillance’ by bank; Bank denies collecting general information about what customers do online]

Other Jurisdictions

AU – Australia Introduces New Counter Terrorism Legislation

Australia’s Attorney General introduced new counter-terrorism legislation; the bill includes measures that will allow a control order to be imposed on persons 14 years or older, simplify monitoring of individuals subject to control orders through enhanced search, telecommunications interception and surveillance device powers and introduce a new offence of advocating genocide. [Attorney-General] See also: [AU – Government Unveils Data Breach Notification Bill, Seeks Input]

Privacy (US)

US – EFF Wants FTC to Investigate Google Apps for Ed

The EFF says in a complaint to the FTC that Google’s Apps for Education violates the Student Privacy Pledge the company signed in January, which indicates it will only collect, store or use student data for educational purposes. The EFF found that the company was collecting kids’ personal information through the “Sync” feature in the Chrome browser that “is enabled by default on Chromebooks sold to schools” and says Google is using that information for uses beyond education. Google has agreed to change the settings for computers sold to schools but is “confident that these tools comply with both the law and our promises, including the Student Privacy Pledge.” [The Wall Street Journal]

US – Task Force Recommends Register Drones at Point of Operation, Not Sale

The Federal Aviation Administration’s Unmanned Aircraft Systems (“UAS”) Registration Task Force (“RTF”) Aviation Rulemaking Committee (“ARC”) issued its final recommendation in relation to drone/UAS registration requirements. All drones under 55 pounds must be registered prior to operation in national airspace; a single registration number will cover all drones a registrant owns, who must register on a free web-based system. [Task Force Recommendations Final Report]

US – Lorrie Faith Cranor Named FTC’s New Chief Technologist

Carnegie Mellon’s Lorrie Faith Cranor, will succeed Ashkan Soltani as the FTC’s Chief Technologist, the agency said. “We are delighted to welcome Lorrie to our team, where she will play a key role in helping guide the many areas of FTC work involving new technologies and platforms,” said the FTC Chairwoman. Not everyone reacted positively: “The revolving door of privacy advocates masquerading as Chief Technologists continues at the FTC,” said the Interactive Advertising Bureau. “It’s like they are funding a one semester internship for anyone with advocate bona fides.” FTC Press Release

Privacy Enhancing Technologies (PETs)

US – New PIA Templates, Case Study, Announced

Last year, AvePoint announced a free and downloadable privacy impact assessment automation tool, APIA. Now, with more than 2,500 privacy professionals using APIA in countries spanning the globe, a case study has been published. Also, two new questionnaire templates are now available to help users simplify PIAs and carry out surveys according to recommended best practices: third-party vendor assessment and cloud readiness. [IAPP Resource] SEE also: [Hong Kong DPA Issues PIA Guidance]

Security

WW – Study: Employees Account for 80% of Breaches

Experian’s annual Data Breach Industry Forecast found that 80% of breaches are catalyzed by employees—careless or otherwise. “Unfortunately people doing stupid stuff is the largest cause—it’s as simple as putting a non-production server into production, not turning on a malware or firewall protection or as simple as the lost (unencrypted) laptop or USB key.” [BankInfoSecurity] SEE also: [Fung: Tech Teams Need Ethics Training] [Accessing personal information common practice at RNC, Newfoundland privacy commissioner told]

Surveillance

US – DoJ Testifies on Policy Governing Use of Cell-Site Simulators

The Principal Deputy Assistant Attorney General testified before the U.S. House of Representatives’ Subcommittee on Information Technology Committee on Oversight and Government Reform at a hearing for Examining Law Enforcement Use of Cell Phone Tracking Devices. [Testimony before the House Committee on Oversight and Government Reform – Department of Justice] See also: [UK GCHQ accused of ‘persistent’ illegal hacking at security tribunal] AND: [U.K. Spies Turn Your Cell Phone Into a Bug in Tech War on Terror]

CA – Vancouver Police Deny FOI Request for Cellphone Tapping Info

In September 11, 2015, the Information and Privacy Unit of the Vancouver Police Department (VPD) replied to a July 23 FOI request, explaining that it was unable to provide access to the requested information. In accordance with section 15(1)(C) of the B.C. FIPPA, the VPD refused to release the records requested on the grounds that any disclosure would be harmful to law enforcement. And furthermore, in accordance with section 8(2) of the act, the VPD refused to confirm or deny that any such records existed. The VPD’s response reminded many in the press that the Harris Corporation has, in the past, required U.S. law enforcement agencies buying its brand name StingRay technology to sign non-disclosure agreements (NDAs), requiring questions from the press and the public to be answered as obliquely as the VPD answered the Pivot FOI request. [Source]

Telecom / TV

US – National Security Letter Content Revealed

A US District court judge has allowed a former ISP owner to disclose the content of a National Security Letter he received in 2004. NSLs come with gag orders, forbidding recipients from disclosing their contents or even revealing that they have been received. The document reveals that the FBI sought the target’s entire web browsing history, the IP addresses of everyone the target corresponded with, and a record of all the target’s online purchases. [v3.co.uk] [ArsTechnica] [Yale.edu] [Newly published FBI request shines light on National Security Letters]

US Legislation

US – Sen. Announces Proposed Surveillance Bill

As the government said goodbye to the NSA bulk phone record surveillance program, Senator Tom Cotton (R-AR) introduced the Liberty Through Strength Act II, a bill that aims to “let the government keep the phone records it has already collected for five years.” According to critics, the bill is “Big Brother on steroids.” FreedomWorks’ CEO took umbrage with Cotton and others who “are willing to sacrifice our liberties on the altar of security” and “treating Orwell’s 1984 as a how-to guide instead of a warning.” [SC Magazine] SEE ALSO: [Chat, text, email – Congress moves to stop government snooping]

Workplace Privacy

WW – New Employee Monitoring Software Opens Up Range of Legal Issues

Canadian employers looking to track workplace satisfaction and productivity are taking inspiration from foreign companies that use personal data trackers and data analysis to improve employee performance. However, employers looking to gain the benefit from such programs should prepare for workers raising challenges related to this new practice. Incidental breaches of privacy abound, as do concerns whether the employer’s use of data unfairly prejudices certain employees. Finally, data associated with an individual employee may become disclosed in the course of wrongful dismissal claims. Before using data to track employee productivity, employers would be wise to develop human resources policies in anticipation of challenges raised by workers, as well as to make workers aware of how data will be used. At this early stage, employers may even want to “decouple” data so that it cannot be linked with an individual employee. [Lawyers Weekly] See also: [The Chilling Effect of Privacy Invasion]

CA – Federal, BC and Alberta Commissioner Issue BYOD Guidance

The underlying message contained in the Guidelines appears to be “proceed with caution, if at all”. Implementing a BYOD arrangement for employees should not be taken lightly and the Guidelines raise a number of issues which must be carefully considered prior to moving ahead with such an arrangement. The complete Guidelines can be found here. The Guidelines are summarized at [Lexology] [Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization] Se ealso: [IAPP BYOD Resources]

 

+++

 

 

16-25 November 2015

Big Data

UK – ICO Recommendations to Committee Inquiry on Big Data

Data anonymisation removes an area of risk for organisations (since the data will no longer be personal data subject to the Data Protection Act); organisations that re-identify individuals from anonymised datasets take on all the responsibilities of a data controller (including telling individuals concerned that they are processing their personal data), and are subject to regulatory action if processing personal data without an individual’s knowledge. [ICO]

WW – MAC addresses: the Privacy Achilles’ Heel of the Internet of Things

A MAC address is a unique identifier for a device, and for something regularly worn or carried by a person, it is effectively a unique identifier for that person. To illustrate what sort of information can be deduced from a MAC address, American designer, innovator and anti-surveillance specialist Adam Harvey demonstrated a program which secretly obtained the MAC addresses of smartphones present at an IT security event. He was able to find the Wi-Fi networks that each phone had connected to and thus trace the owners’ movements around the world. Harvey spoke of how such information could be used: “If I were malicious I could construct a highly targeted phishing attack by saying ‘I see you’ve been to the Grand Hotel, did you enjoy your stay there?'” The MAC address could also be used by malicious actors to trigger a bomb when a certain person enters a room, or by a workplace to secretly track employees’ movements. “The uses are endless, and when you don’t have a way of controlling the MAC address then you’re forced to reveal yourself. It’s not much different to walking around electronically naked, as Edward Snowden said. Of all the metadata consumers are aware of, location is the one that touches intuitively on their privacy sensitivities. It’s why they avoid downloading apps with location permissions, or turn off that service for apps that seek access to location.” Consumers are right to be concerned, location is the most insightful of data. A 2012 survey by the Pew Research Centre (PDF) found that 54% of smartphone users had decided not to install an app after learning how much personal information they would need to share to use it, while 30% disabled location on their phone. A later survey by Trust-e found that after contacts, location data was the information that users are most reluctant to share. [Computing]

Canada

CA – 2015 Theme #1: Acceleration of Privacy Class Actions

The past year has seen a number of decisions in privacy class actions. They confirm that privacy claims in tort can co-exist with comprehensive privacy statutes (at least in Ontario), that the tort of “publicity given to private life” may exist in Canadian law, that class representatives in privacy cases may conceal their identities with pseudonyms in appropriate cases, and that the focus of discovery in privacy class actions will be on defendants’ obligations and conduct. All of the decisions discussed in this article eliminate or reduce potential obstacles to privacy class actions, and so they may signal that more privacy class actions will be brought and potentially certified in 2016. [Lexology] See also: [A New Era for Privacy Class Actions – Hopkins v. Kay and Implications for the Health Industry]

CA – SK OIPC Issues Privacy Impact Assessment (PIA) Guidance

The Saskatchewan Privacy Commissioner’s new guidance includes how, when, what questions to ask when conducting a privacy impact assessment (PIAs should conducting to assess whether a project complies with privacy legislation). Some questions organisations should ask is whether PI/PHI will transmitted, processed, and/or stored, does the legislation authorize the collection of PI/PHI, will PI/PHI be stored within the province, and are there policies and procedures in place to guide employees on the handling of the PI/PHI. [Guidance] [Press Release] See also: [Privacy Breach: OIAPC NB Finds Department of Health Did Not Conduct A Privacy Impact Assessment Before Implementing System Changes]

CA – BC OIPC Recommends Social Media Companies, Schools and Government Develop Cyberbullying Strategies

Social networks should develop policies/processes to permit the removal of PI in cases of cyberbullying or where it has been inappropriately posted without consent; schools should ensure their codes of conduct address cyberbullying, and the government should develop prosecution guidelines for the application of criminal law to cyberbullying cases. [Press Release] [Report]

CA – Superior Court Finds IPC Decisions Covered by Parliamentary Privilege

The IPC’s MFIPPA tribunal function relates only to access to information appeals and does not include adjudication of complaints regarding privacy breaches (but it can do so at its discretion to assist in reporting to the legislature on the practices of institutions); requiring the IPC to investigate would undermine the Legislature’s confidence in the IPC’s ability to prioritize cases that warrant investigation, or allocate resources – the Court does not have jurisdiction to decide whether the IPC properly refused to investigate a complaint or not. [de Pelham v Peel Regional Police Services – 2015 ONSC 6558 – CanLII]

Education

US – Data Privacy and Security Curriculum Released for K-12 Schools

It is essential that children learn about data privacy and security. Their lives will be fully enveloped by technologies that involve data. But far too little about these topics is currently taught in most schools. The Internet Keep Safe Coalition (iKeepSafe), a nonprofit group of policy leaders, educators, and various experts, has released the Privacy K-12 Curriculum Matrix. It can be used by any school, educator, or parent. It contains an overview of the privacy issues that should be taught, including which details about each issue should be covered in various grade levels. It includes suggestions for appropriate learning activities for each grade level. Data security is encompassed within this curriculum too, as it is deeply intertwined with privacy. [Daniel Solove]

Facts & Stats

WW – Google Receives 2 Million Privacy Takedown Requests Each Day

Google has come clean about the number of privacy takedown requests it’s currently receiving from copyright holders around the world. The web giant’s latest Transparency Report confirms that it is being served with a staggering 2 million of these requests each day. That figure – which equates to 25 requests a second or around 2,160,000 a day – has doubled over the last year as the war on piracy rages on. These stats include multiple takedown requests for the same website, so last month’s came from 5,492 rights holders about 72,207 domains. [digitalspy.com]

FOI

CA – BC Commissioner to Audit Vancouver’s Info Management Practices Following Provincial Scandal

The City of Vancouver’s handling of access to information and protection of privacy is coming under the microscope of the BC Privacy Commissioner, who said it isn’t acting on a complaint but wants to make sure Vancouver’s record-handling practices comply with the provincial Freedom of Information and Protection of Privacy Act. “Unlike the Oct 2015 Access Denied report [Press Release] which was focused on responding to specific complaints, this is a broader, in-depth report. It is part of our audit and compliance program,” said spokeswoman. [Vancouver Sun] SEE ALSO: [Dark Picture Painted of B.C. Information Laws at Vancouver hearings] and [Vancouver Mayor Robertson Defends City Hall’s Access To Information Practices] [B.C. information watchdog says probe of Vancouver city hall will delve deeper than investigation of B.C. governmentText

Health / Medical

AU – Australian DPA Document Identifies When PHI May Be Processed for Research Purposes

Circumstances under which collection may take place without consent include where the research is relevant to public health or safety, it is impracticable to seek consent, were de-identified data does not serve the research purpose, or where collection is required by law or in accordance with rules/guidelines. [Office of the Australian Information Commissioner: Business Resource: Collecting, Using and Disclosing Health Information for Research]

AU – Australian Privacy Commissioner Issues Guidance on Direct/Indirect Collection of PHI

Health information must be collected directly from the patient unless it is not reasonable or practical to do so based on factors such as how sensitive the information is, whether a reasonable person might expect their information to be collected directly or indirectly, what is accepted practice by consumers and the health sector (e.g. a pathologist collecting a specimen and accompanying information from a referring provider) or emergency situations where it is collected from relatives. [OIC Australia – Consultation Information – Collecting Patients Health Information]

Law Enforcement / Security

US – Police Body Cams Found Pre-Installed With Notorious Conficker Worm

Multiple police body cameras manufactured by Martel Electronics came pre-installed with Win32/Conficker.B!inf, according to security firm iPower. When one such camera was attached to a computer in the iPower lab, it immediately triggered the PC’s antivirus program. When company researchers allowed the worm to infect the computer, the computer then attempted to spread the infection to other machines on the network. iPower decided to take the story public due to the huge security implications of these cameras being shipped to government agencies and police departments all over the country. It’s troubling because the cameras can be crucial in criminal trials. If an attorney can prove that a camera is infected with malware, it’s plausible that the vulnerability could be grounds for the video it generated to be thrown out of court, or at least to create reasonable doubt in the minds of jurors. Infected cameras can also infect and badly bog down the networks of police forces, some of which still use outdated computers and ineffective security measures. [Ars Technica]

Location

WW – How Uploading Pictures of Your Pet Cat Can Breach Your Privacy

A Florida professor has shown how innocently uploading a picture of your pet cat can allow stalkers to pinpoint exactly where the image was posted. He created a website ‘I know where your cat lives‘ to raise awareness of how people were giving up their privacy online. Location data is often added to images via the camera itself or an accompanying app, providing details on where the photo was taken to within eight metres. He launched the website in July 2014 which now has 5.3 million cat pictures taken on social media from sites such as Instagram and Flickr plotted on a Google Atlas map. The map can zoom into a specific location. “Geographic data is sensitive. A picture can only say so much. But if someone wants to do you harm or stalk you, or you live in a place where free speech is limited, anyone can track where you are.” [Mail Online]

Other Jurisdictions

WW – Five Things You Need to Know About Transferring Data Out of Europe

The U.S.-EU Safe Harbor agreement on transatlantic data transfers is dead. What now?

  1. It only concerns personal data
  2. It’s not the only way to transfer data legally
  3. Your cloud provider may already have your back
  4. Even the alternatives to Safe Harbor may prove inadequate
  5. January 31 is when things get interesting  [ComputerWorld]

CA – Trans-Pacific Partnership: Key Takeaways from the Legal Text

Multiple elements of the TPP – including the chapters on electronic commerce, telecommunications and intellectual property – will have an impact on privacy. Most notably, the chapter on e-commerce places limits on restricting international transfers of information. The TPP requires each country to allow the cross-border transfer of information, including personal information, by electronic means when this activity is for the conduct of the business of a covered person. A country may, however, have its own rules concerning electronic transfers of information to achieve a legitimate public policy objective, provided that the measure (i) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and (ii) does not impose restrictions on transfers of information greater than are required to achieve the objective. The TPP also prohibits the imposition of measures requiring a covered person to use in-country data centres as a condition for conducting business in that country, unless the measures can be justified as necessary to achieve a legitimate public policy objective and meet conditions of not being discriminatory, arbitrary or a disguised restriction on trade. Exceptions for the application of the above rules have been provided for financial institutions, public procurement or information processed on behalf of the government. [Osler Law]

Mobile Privacy

WW – Key Takeaways on Mobile Apps and Privacy Study

A new Pew Research Center report examines more than 1 million apps available in the Google Play Store from June to September 2014 and explores the wide range of permissions that Android apps require as a condition of use. Pew Research also surveyed Americans about their privacy concerns relating to apps and found many are cautious when it comes to how apps use their personal data. Here are five takeaways from the report:

1)   6/10 downloaders chose not to install an app when they discovered how much personal information the app required in order to use it. Separately, 43% have uninstalled an app for the same reason after initially downloading it.

2)   A majority cited concerns about how their personal data are used as a reason why they would or would not download an app.

3)   Most Android app permissions seek access to a device’s hardware, rather than a user’s personal information.

4)   The most common Android app permissions allow access to a smartphone’s internet connectivity. The average app requested five permissions before installation.

5)   A majority of Android apps we analyzed were free. On average, free apps ask for two more permissions than paid apps (six permissions vs. four).

[Pew Research] Details on the full methodology are available here.

Workplace Privacy

CA – Employer Cannot Use Video Surveillance for Disciplinary Purposes: Ontario Arbitrator

The collective agreement between the employer and the union prohibited the use of video surveillance for any purpose other than security and the employer’s own policies stated that video footage would only be used in the event of a complaint (there was no complaint against the employee). [The Corporation of the City of Niagara Falls v Amalgamated Transit Union Local 1582 – 2015 ONLA 67502 – CanLII]

+++

 

 

 

01-15 November 2015

Biometrics

US – Retailers Test Out Facial Recognition

Retailers are deploying and experimenting with facial recognition technology designed to identify suspected thieves. After several months of experimentation in some of its stores, Wal-Mart decided not to use the technology. “We were looking for a concrete business rationale,” said a Wal-Mart spokesperson, adding, “It didn’t have the ROI.” The technology, made by California-based FaceFirst, scans customers’ faces as they walk into the store and compares the images to find matches with alleged offenders. According to FaceFirst, they do not retain images of every customer, only the suspects or people who resemble a suspect. Though FaceFirst said its software is accurate 98 to 100%of the time, one critic said that some companies have concluded that facial recognition is “not ready for prime time.” [Fortune]

US – Plaintiffs Ask Judge to Let Facebook Suit on Facial Tagging Proceed

Facebook users in Illinois are asking a federal judge to allow a federal lawsuit to proceed that accuses the social media site’s automatic tagging feature of violating an Illinois privacy law by storing users’ faceprints. A 2008 law in the state mandates companies collect written consent from subjects before collecting biometric data and also requires notice be provided, as well as a schedule for data destruction. Facebook has asked U.S. District Court Judge James Donato to dismiss the potential class-action, the report states, but the plaintiffs’ lawyers say the case should proceed in the name of protecting Illinois citizens’ privacy. [MediaPost]

Canada

CA – Supreme Court Paves Way to Medical Class Action Suit

The Supreme Court of Canada will not hear an appeal to a case in which hundreds of patients’ medical records were accessed inappropriately by Peterborough Regional Health Centre staffers. The Supreme Court’s decision means the case will proceed to trial, which may “open the way to privacy class-action lawsuits.

CA – BC Commissioner to Audit City of Vancouver

The British Columbia (BC) Information and Privacy Commissioner Elizabeth Denham is looking into the access-to-information requests and privacy practices of the City of Vancouver to ensure the city is in compliance with the provincial Freedom of Information and Protection of Privacy Act.

CA – Ontario MPP Proposes Smart Meter Security Law

Toronto Danforth MPP Peter Tabuns is concerned Ontario’s smart meters are vulnerable to hacking and privacy breaches. In response, he plans to table a private members bill to shore up the security gaps.

CA – NB Commissioner Rules WorkSafeNB “Violated its Own Rules”

WorkSafeNB “violated its own rules” when it shared some of its workers’ data without their consent, says New Brunswick Privacy Commissioner Anne Bertrand. After an injured worker complained that her information had been shared with a polling firm, Bertrand’s office investigated.

CA – TPP Criticized for Restrictions on Data Residency

While the deal aims to make e-commerce easier, some critics say the Trans-Pacific Partnership trade agreement’s verbiage may override some provincial laws that require data be stored on local servers to keep Canadians’ personal information safe.

CA – MB Health Minister to Review Health Record Access Laws

Health Minister Sharon Blady has promised to review health-record access laws after providers refused to give family members access to a missing mental health patient’s records citing Manitoba’s Personal Health Information Act.

CA – Federal Commissioner Comments on Drones with Camera

Federal Privacy Commissioner Daniel Therrien says regulations to restrict the use of camera-equipped drones in certain “sensitive” areas is needed. Transport Canada has said it will issue new guidelines for small drones at some point in 2016.

CA – Ontario Liquor Board to Comply with Order, Purge Records

The Liquor Control Board of Ontario is now complying with a privacy commission ruling that it must destroy the records of beer, wine and spirit club members.

CA – Former BC Commissioner to Review Email Retention/Deletion Policy

Former BC Information and Privacy Commissioner David Loukidelis has been hired to conduct an assessment on how best to implement recommendations for government retention and deletion of emails.

Consumer

WW – Study: 2016 a “Tipping Point” for Privacy Fears

A Forrester Research study indicates that 2016 will be a “tipping point” for online privacy concerns, “prompting regulators to crack down on companies, and consumers to demand greater protection.” Businesses “also stand to suffer the most when consumers decide to prioritize privacy over convenience, something that is already beginning to shape behavior,” the report continues. Other privacy trends the study highlights are: customers “paying for fewer ads, with more privacy; regulatory wrath against privacy violators, and California as incubator of privacy protections.” Specific trends aside, Forrester urges companies to act. “Don’t wait for federal regulation to get your privacy house in order,” the study says. [NBC News]

US – Companies’ Terms Increasingly Forbid Class Actions

Legal experts with the American Association for Justice and Sen. Al Franken (D-MN) and Rep. Hank Johnson (D-GA) met Monday to discuss a recent investigation that found an uptick in the number of companies preventing consumers from filing class-action lawsuits via arbitration clauses. Such clauses generally say product disputes can only be settled “by privately appointed individuals or arbitrators, rather than through the court system,” the report states. “Forced arbitration is not voluntary, it’s not just and it’s not fair,” Johnson said. The Consumer Financial Protection Bureau last month said it’s considering rules to prevent the practice. [The Hil]

WW – Study: Data Goes to Companies Users Trust

A Center on Global Brand at Columbia Business School and Aimia survey of 8,000 consumers in the U.S., Canada, the U.K., India and France found that while “80% of those polled said they would share data for rewards,” the amount of information disclosed often depends on the amount of trust they have for a brand. Among the most trusted companies? Consumers named organizations like Bank of America, Delta, T-Mobile, Walmart and Facebook. Regardless of brand confidence, the study found that “home address, mobile phone, name and date of birth were personal data consumers felt most sensitive about,” the report states. [MediaPost]

WW – Smart Packaging and RFID-Blocking Wallets

A report analyzes the rise in privacy concerns around RFID packaging, particularly with RFID-blocking wallets. Since many credit cards contain RFID chips, consumers are starting to use protective wallets to secure against adversaries skimming their credit card numbers. “The irony illustrates,” the report reads, “the dilemma faced by RFID: the more it becomes mainstream, the more it generates screams.” The efficiency and convenience of smart packaging—including RFID-enabled packaging at the item level—holds a lot of promise, the report states, but the corresponding rise in privacy concerns may slow mainstream adoption. “So will we ever see a marriage of RFID and packaging?” the report queries. “If we do, it will be because of the successful resolution of privacy concerns, giving new meaning to the phrase, ‘a marriage of convenience.’” [Packaging World]

E-Government

US – Study: Government Agencies Among Most Repeatedly Breached

A Risk Based Security (RBS) study finds that 21 of the 99 organizations suffering breaches multiple times are government-based, with the Internal Revenue Service and the U.S. Office of Veteran’s Affairs among the Top 10 “Most Breached Organizations of All Time.” A “variety of factors” contribute to the repeat breaches, RBS CISO Jake Kouns said in the report, pinpointing elements like the “juicy” nature of information and “the scale of the agencies’ environments and assets,” he said. Meanwhile, The New York Times reports that the appointment of Beth Cobert as director of the Office of Personnel Management faces an uphill battle in the Senate, while the Department of Homeland Security will begin to employ 1,000 cybersecurity professionals “as part of the government’s ongoing plan to address cyber risks.” [Dark Reading]

US – US Government Agencies Earn Poor Grades on Initial FITARA Report Card

Most US government agencies have not done well in implementing the Federal Information Technology Acquisition Reform Act (FITARA) requirements. According to a report card from the House Oversight and Government Reform Committee, agencies averaged a “D.” The grades are being viewed as “an initial assessment” to identify areas that need attention and improvement. The four categories on which the agencies were graded are data center consolidation; IT portfolio review savings; incremental development; and risk assessment transparency. [NextGov] [NextGov]

E-Mail

US – The Clinton Emails and Changing Privacy Expectations

Lawrence Cappello analyzes how the public release of former Secretary of State Hillary Clinton’s emails “represents a clear historical break from the privacy protections traditionally afforded Cabinet members.” Cappello notes that, traditionally, such high-level correspondence is only released after a 30-year delay, “in the interest of giving government officials space to express controversial ideas” without fear of political retribution. “For the same reasons that individual citizens need privacy so that they can better formulate ideas, assess their surroundings and respond to problems intelligently, so too do government officials need privacy to reflect on the long-range effects of their policies and to engage in frank discussions aimed at finding intelligent solutions,” he writes. [The Atlantic]

Electronic Records

US – PMI’s Privacy and Trust Initiatives Published

The Obama Administration’s Precision Medicine Initiative’s (PMI) Privacy and Trust Initiatives have been released, the White House said in a statement. “The Privacy and Trust Principles are organized into six broad categories: governance that is inclusive, collaborative, and adaptable; transparency to participants and the public; respecting participant preferences; empowering participants through access to information; ensuring appropriate data sharing, access and use, and maintaining data quality and integrity,” the report states. “These principles are intended to establish a foundation for future PMI activities to ensure that privacy has been built into the core of the Initiative and that privacy is maintained as a central priority of PMI throughout all components,” the report continues.[WhiteHouse.gov]

Encryption

EU – Bill Could Eradicate End-to-End Encryption

The proposed Investigatory Powers Bill, championed by Prime Minister David Cameron, would strip organizations’ ability to provide end-to-end encryption. “We need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts,” a spokesman for the Home Office said. Added Cameron, “as Prime Minister I would just say to people ‘please, let’s not have a situation where we give terrorists, criminals, child abductors, safe spaces to communicate.’” [The Daily Telegraph] See [Lacking Disk Encryption Quality For Mobile Devices]

WW – Tor Claims Government paid University to Uncover Users’ IP Addresses

According to the head of the Tor Project, the FBI paid researchers at Carnegie Mellon University US $1 million to identify users of the anonymizing network. Neither university officials nor the FBI have responded to the allegations, although a CMU spokesperson asked “to see the substantiation for their claim.” In August 2014, CMU researchers were scheduled to give a talk on cracking Tor at the Black Hat conference, but the briefing was pulled from the schedule. [Ars Technical] [Wired] [The Register] [BBC]

[Tor Statement] [Black Hat Talk Cancellation Notice]

US – Gmail Will Warn Recipients of Unencrypted Messages

Gmail will start notifying users when email in their inbox was sent overan unencrypted connection. The change will be rolled out over the next several months. Google hopes the practice will encourage the use of encryption and strong authentication. [DarkReading] [ZDNet] [NBC News] SEE ALSO: [Let’s Encrypt To Open Beta On December 3rd 2015]

US – Encryption App Signal Comes to Android

The Edward Snowden-used and –blessed, hyper-encrypted talk-and-text mobile app Signal is now available to Android users. The free, newly streamlined program, developed by Open Whisper Systems, is reportedly so secure that it consistently draws the ire of the FBI and a smattering of governments across the world. “Every time someone downloads Signal and makes their first encrypted call, FBI Director Jim Comey cries,” the American Civil Liberties Union Lead Technologist, Chris Soghoian tweeted. “True fact.” [Wired]

EU Developments

EU – Cross-Atlantic Group Pens Letter Asking New Safe Harbor Be Scrapped

While EU and U.S. officials are working on drafting a new data-transfer agreement to replace the now-defunct Safe Harbor, 20 EU and 14 U.S. NGOs have sent a letter to both European Commissioner for Justice, Consumers and Gender Equality Vera Jourová and U.S. Secretary of Commerce Penny Pritzker to ask that they shift their focus to “commit to a comprehensive modernization of privacy and data protection laws on both sides of the Atlantic.” A “Safe Harbor 2.0,” the letter said, “will not provide a viable framework for future transfers of personal information.” Instead of simply writing something similar in nature to the Safe Harbor deemed invalid by Europe’s highest court, the human rights and privacy organizations wrote that it’s the privacy laws themselves that need to be rewritten. Meanwhile, the EU-U.S. Ministerial Meeting on Justice and Home Affairs highlighted their work on trans-atlantic data protection in its “final statement,” released Friday. [Ars Technica]

EU – Facebook! You’ve Got 48 Hours to Stop Tracking People

Facebook has been ordered to stop tracking people that don’t have accounts with it in the next 48 hours or face daily fines of 250,000 euros. The decision by a Belgian court follows a case brought by the country’s privacy watchdog earlier this year in which it argued that the social media company was tracking everyone that visited pages hosted on its website, regardless of whether they were users of the service. If users “like” or share a Facebook page, they also have a cookie installed in their browser, whether or not they are logged in or have an account with the company. By not explaining what it did with the data or asking for consent, the company was breaking local privacy laws, argued the Belgian Privacy Commission. And the court agreed. [The Register]

EU – Belgian Court Rules Facebook Must Desist With Datr Cookie

Facebook plans to appeal a Belgian court ruling that mandated a cease-and-desist of “datr cookie” use. The cookie allegedly tracks the online habits of non-Facebook users after visiting the site. “We’ve used the ‘datr’ cookie for more than five years to keep Facebook secure for 1.5 billion people around the world,” a spokeswoman said. “We will appeal this decision and are working to minimise any disruption to people’s access to Facebook in Belgium.” Meanwhile, the site announced that its “Messenger” tool will employ facial recognition technology for an “easier, faster way to share photos.” [Reuters]

WW – ICDPPC Releases Special Edition Communique

Following last month’s conference in Amsterdam, the Executive Committee of the International Conference of Data Protection & Privacy Commissioners (ICDPPC) has released a “special edition” of its newsletter. ICDPPC Chair John Edwards, who is also the privacy commissioner of New Zealand, wrote, “The two Closed Session discussions proved to be more topical than we could have anticipated when we conceived them earlier this year, with the rapid commercialisation of genetic technologies and the ECJ decision in Schrems … illustrating how important it is for DPAs and others concerned with privacy to engage in a public conversation about intelligence and security.” [ICDPPC]

UK – UK Draft Investigatory Powers Bill

UK Home Secretary Theresa May presented the Investigatory Powers Bill earlier this week. Both houses of Parliament will examine the draft legislation before developing a final version and voting on it. Among the draft bill’s provisions are a requirement that Internet service providers (ISPs) retain users’ browsing history data for one year, and increased powers for law enforcement to gain access to data. [v3.co.uk] [SC Magazine] [v3.co.uk] [Ars Technica] [ZDNet] [The New York Times]

UK – Snooper’s Charter Debut Garners Jeers

After the Investigatory Powers Bill was unveiled in Parliament, critics are officially and powerfully spooked. The bill would “take the UK closer to becoming a surveillance state,” Amnesty International said. “The bill proposes the authorities be given the right to retrospectively check people’s ‘internet connection records’ without having to obtain a warrant,” records that are “a very valuable target for criminals to go after,” said Andrews & Arnold’s Adrian Kennard. The legislation also aims to totally eradicate end-to-end encryption, which led Wikipedia founder Jimmy Wales to tweet, “I would like to see Apple refuse to sell iPhones in UK if government bans end-to-end encryption. Does Parliament dare be that stupid?” Meanwhile, The Guardian studies how Snowden’s surveillance revelations impacted the U.S. and the UK differently. [Reuters]

EU – Snooper’s Charter Criticism Grows Louder

The draft Investigatory Powers Bill continues to rile up privacy advocates and tech giants alike. “The snoopers’ charter in the UK is just a bit worse than scary, isn’t it,” said United Nations Special Rapporteur on Privacy Joseph Cannataci. “If your oversight mechanism’s a joke, and a rather bad joke at its citizens’ expense, for how long can you laugh it off as a joke?” Tim Cook, CEO of Apple, also expressed his displeasure for the bill, especially its mandate of backdoor encryption. “Any backdoor is a backdoor for everyone,” Cook said. “Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a backdoor can have very dire consequences.” [The Daily Dot]

EU – MEPs Vote to Pardon, Protect Snowden; DPAs Call for Transparency

In a resolution, Members of the European Parliament (MEPs) announced that “too little has been done” to protect citizens from electronic mass surveillance since the Snowden revelations. In a vote of 342 to 274, MEPs called on EU member states to “drop any criminal charges against Edward Snowden” and to grant him protection. Snowden tweeted the vote was “extraordinary.” Meanwhile, more than 30 privacy and civil liberties organizations are challenging U.S. Director of National Intelligence James Clapper to disclose how many Americans are spied on under Section 702 of the Foreign Intelligence Surveillance Act. And international data protection authorities are calling on governments worldwide to boost transparency via a resolution proposed at the 37th International Privacy Conference in Amsterdam. [Europarl]

EU – Other Privacy News

At the ISSE 2015 conference, Assistant European Data Protection Supervisor Wojciech Wiewiorowski argued that even though the ECJ ruled against the legitimacy of the Safe Harbor framework, “the ruling did not say the Safe Harbor processes themselves were invalid, but that they were simply not enough.”

Russian authorities have allegedly told Twitter that it must store Russian users’ data in the country or face the potential of being blocked and fined. Russian Internet regulator Roskomnadzor issued the warning, even though in July it had said Twitter would not have to comply with Russia’s new data localization law.

 

The draft Investigatory Powers Bill continues to rile up privacy advocates and tech giants alike. “The snoopers’ charter in the UK is just a bit worse than scary, isn’t it,” said United Nations Special Rapporteur on Privacy Joseph Cannataci.

The proposed UK Investigatory Powers Bill would strip organizations’ ability to provide end-to-end encryption. Meanwhile, Conservative MP Theresa May has promised that the Investigatory Powers bill will not be a repeat of its 2012 iteration, touting the removal of its “contentious” bits.

The Spanish data protection authority has sent letters to Safe Harbor-certified companies operating in Spain outlining necessary steps that companies must take.

Digital Rights Ireland is accusing Ireland of failing to guarantee the independence of the data protection commissioner.

The UK Information Commissioner’s Office has fined the Crown Prosecution Service 200,000 GBPs for not ensuring adequate data security of laptops containing sensitive law enforcement interviews with victims and witnesses.

Facts & Stats

US – Study Ranks Companies on Privacy Score

In an interview with DW, Ranking Digital Right’s (RDR) Director Rebecca MacKinnon discussed the results of RDR’s Corporate Accountability Index 2015 study, which graded and ranked 16 globally-prevalent telecom and tech organization grades on their human rights records. Google topped the list, with Axiata and Etisalat rounding out the bottom. “Companies need to do human rights impact assessments,” McKinnon said. “They need to assess how their business impacts on someone’s freedom of expression and privacy and they need to have a process for monitoring this as well as a process for accountability within the company,” adding that businesses “need to be clear to their users about what they collect and what happens to user information,” she said. [DW.com]

WW – World’s Top Tech Companies Get Failing Grade on Privacy

“According to the most comprehensive assessment to date of their user agreement policies,” the world’s biggest tech companies are not protecting their users’ privacy and freedom of expression. Companies from the U.S., Europe and Asia all received failing grades from a project known as Ranking Digital Rights. None of the companies reviewed offered users appropriate information on privacy and censorship, the New America Foundation think tank survey stated. “There are no ‘winners,’” the group said, adding, “Even companies in the lead are falling short.” Meanwhile, a separate report has found that nine out of 10 of the Internet’s top websites are leaking user data. University of Pennsylvania privacy researcher Tim Libert published the peer-reviewed report, which sought to quantify all the “privacy compromising mechanisms” on the world’s most popular websites. [The Guardian]

WW – Study: Privacy Fears Aren’t Instigating User Action

A Parks Associates study discovered that while 76% of households with broadband “are very concerned about their data security and personal privacy when using connected devices,” only 50% cite interest in their broadband provider’s security options, while 80% don’t even realize that they exist, the firm announced in a statement. “As consumers acquire more connected devices for their homes, the more exposure they feel, either through experience or from hearing about high-profile security breaches in the media,” said Parks Associates’ Patrice Samuels. “As a result, they are seeing high value in security and privacy support either as stand-alone services or through monthly fees.” The reason for the lack of knowledge regarding protective offerings? They “are likely not heavily promoted because they do not generate revenue for the company,” Samuels added. [Full Story]

Filtering

DAA Issues Video Ad Guidelines; CA AG Releases Location Tracking Tips

The Digital Advertising Alliance (DAA) has released new guidelines for displaying privacy icons in video ads. Ad Marker Implementation Guidelines for Video Ads includes technical specifications for the size and placement of the AdChoices icons in video ads. Unlike the recommendations for display and mobile ads, the DAA has said the icon can be placed in any of the four corners of a video ad. “Given that player formats and the positioning of player controls may vary among video ads, implementing companies may choose alternative corners so as to avoid conflicts in user interaction,” the DAA states in its 12-page release. Meanwhile, California Attorney General Kamala Harris has released consumer tips on mobile location tracking, including an information sheet called,Location, Location, Location: Tips on Controlling Mobile Tracking. [MediaPost]

US – Supreme Court Set to Hear Spokeo Case

The U.S. Supreme Court will take up Spokeo, Inc v. Robins, a case that could have far-reaching implications for privacy class-action lawsuits. “If you have automatic damages for statutory violations,” said U.S. Chamber of Commerce attorney Roy T. Englert, “it is a ticket for class-actions to sue for millions and even billions on behalf of people who didn’t suffer any harm.” However, Marc Rotenberg of the Electronic Privacy Information Center said, “This is no time for the court to make it harder to bring lawsuits against companies” that are profiting off the sale of personal data. The Editorial Board for The New York Times said the justices should let the case proceed. Separately, Google has asked a judge to delay a different privacy lawsuit until after the Supreme Court decides on Spokeo. [Los Angeles Times]

FOI

US – EPIC FOIAs Government for Umbrella Agreement Text

The Electronic Privacy Information Center (EPIC) has filed a complaint alleging the federal government is not responding to a Freedom of Information Act (FIOA) request EPIC filed in September to obtain the full text of the so-called Umbrella agreement with the EU. The potential deal between the U.S. and EU would pave the way for data sharing among law enforcement, and hinges on the U.S. government passing the Judicial Redress Act. “The stated aim of the negotiators is to ensure the privacy protections and redress rights afforded to U.S. persons under the Privacy Act of 1974 are available to non-U.S. persons,” EPIC stated in its complaint. “However, the text of the Judicial Redress Act does not support this conclusion. The public release of the text of the agreement is therefore critical to determine the reason for the legislation.” [Courthouse News Service]

US – Facebook Transparency Report

During the first half of 2015, governments requested Facebook account data more than 41,000 times, according to the company’s most recent transparency report. During that same period in 2014, the figure was just over 35,000. Nearly half of the requests came from US law enforcement. Facebook provided requested data on 80% of those cases. [CS Monitor] [NBC News] [Facebook Report]

US – Facebook Transparency Report Shows Uptick in Requests

According to Facebook’s latest transparency report, governments around the world are requesting the company ban more posts and disclose more user data than ever before. During the first half of 2015, 92 countries asked Facebook to takedown 20,568 posts on Facebook, Messenger, WhatsApp and Instagram, more than double what was requested in 2014. During the first half of 2015, governments requested Facebook account data more than 41,000 times, according to the company’s most recent transparency report. During that same period in 2014, the figure was just over 35,000. Nearly half of the requests came from US law enforcement. Facebook provided requested data on 80% of those cases. [CS Monitor] [NBC News] [Facebook Report] [Full Story]

Health / Medical

ONC Unveils 2016 Privacy Plans

In the wake of the Office of the National Coordinator for Health IT’s (ONC) release of its 10-year road map, the agency announced a litany of privacy-centered schemes for the upcoming year. “We have a lot of work planned … reminding people of what HIPAA actually provides,” said ONC CPO Lucia Savage, citing specific goals for the organization “to clarify misunderstandings about HIPAA’s privacy regulations.” She added that “breaking down barriers to information sharing is a top ONC priority for the year ahead.” Savage also disclosed that the agency and the Centers for Medicare and Medical Services and the National Governors Association are teaming up for two separate privacy projects. [Healthcare Info Security]

US – Sensitive Diagnosis Posted to FB Not Grounds for Lawsuit

A Hamilton County Common Pleas Court judge ruled an employee who screenshotted medical records and shared them on Facebook was not “within the scope of her employment” and therefore cannot be sued. The screenshot of the medical record, which disclosed the patient’s “maternal syphilis,” was then taken and published to Facebook group “Team No Hoes,” but the judge argued the action was merely a breach of hospital protocol. “(The hospital) had a policy. It was violated,” said Judge Jody Luebbers. “It’s tragic … but that’s just how I see it.” The plaintiff is expected to appeal, as the ruling was a “close call … decided on a legal technicality,” the report states. [Cincinnati]

US – Senatorial Letter Asks Tough Healthcare Privacy Questions

A bipartisan coterie of senators penned a letter to the Centers for Medicare and Medicaid Service’s Acting Administrator Andy Slavitt and Health and Human Service’s Office for Civil Rights’ Director Jocelyn Samuels, expounding on their frustrations regarding the numerous healthcare data breaches of late and outlining questions they have for the future. “We are concerned that data theft will continue to rise and will result in an increase in medical identity theft,” the letter said. This comes on the heels of the FBI’s Donald Good’s disclosure that BYOD policy implementation is considered the top healthcare security headache, while data from a Forrester study indicates that “the healthcare industry continues to shortchange Americans when it comes to protecting their data.” Meanwhile, an employee’s “retaliatory agenda“ spurred a 16,000-victim Children’s Medical Clinics PHI breach. [NextGov]

US – Brief: Prescription Case Problematic for Privacy

A Litigation Center of the AMA and State Medical Societies amicus brief on the Lewis v. Superior Court of Los Angeles County case indicates that the ruling could have significant privacy implications. The legal proceedings aim to decide if the California Medical Board “infringed upon patients’ constitutional right to privacy when it obtained prescription data without a showing of good cause,” the report states. The brief argues that “there is good reason why federal and state laws treat prescription information with the same level of protection as any other health information,” adding that “the DoJ has not offered an acceptable justification for ignoring the governing laws.” Meanwhile, Verizon’s first-ever Protected Health Information Data Breach Report reveals that most healthcare data breaches aren’t as “sophisticated” as one would think. [AMA Wire]

WW – Contraceptive Computer Chip May Hit the Market in 2018

Women may have a new option in birth control if a contraceptive computer chip hits the market in 2018 as planned. The chip, which has been backed by Bill Gates and will be submitted for pre-clinical testing in the U.S. next year, is implanted underneath the skin and can be controlled by a wireless remote. It releases a small dose of estrogen every day for up to 16 years. MIT’s Robert Farra said secure encryption prevents a third party from “trying to interpret or intervene between the communications,” and the next challenge is ensuring the device can’t be activated or deactivated without the woman’s knowledge. [BBC News]

US – Humans Are Data Security’s Greatest Threat

In a recent report from the Ponemon Institute, 70% of the healthcare organizations and business associates surveyed identified employee negligence as a top threat to information security. Healthcare organizations face big challenges in plugging the human security gap. The biggest risk is a lack of awareness on the part of users. [IAPP]

Horror Stories

US – OPM in More Trouble After Contracting Gaffe

The beleaguered Office of Personnel Management (OPM) confirmed that a $20 million contract for offering ID theft protection to the victims of its summer hacking scandal was a breach of both the agency’s policies and the Federal Acquisition Regulation. In a letter to acting OPM Director Beth Cobert, the OPM’s Inspector General Patrick McFarland indicated that “investigators turned up ‘significant deficiencies’ in the process of awarding the contract to Winvale Group,” the report states. “Because of the missteps identified by the IG, OPM’s procurement shop selected the wrong contracting vehicle,” the report continues. However, “Winvale responded to a posting on FBO.gov, just like every other contractor that submitted a bid,” said a spokesperson for the company. “Winvale had no control over or insight into the bidding process.” [The National Journal] SEE ALSO: [Cobert Nominated for Official OPM Directorship] and [Security Tech Adviser Comes to OPM]

US – Cox Communications Settles with FCC for $595,000

The Federal Communications Commission’s (FCC) Enforcement Bureau entered into a $595,000 settlement with Cox Communications for failing to adequately protect the personal data of its subscribers when the company’s system was breached in 2014, according to an FCC press release. The settlement is the first privacy and data security enforcement action by the FCC with a cable operator. “Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” said FCC Enforcement Bureau Chief Travis LeBlanc. “This investigation shows the real harm that can be done by a digital identity thief.” The settlement will also require Cox to notify affected customers, provide one year of ID theft service and “adopt a comprehensive compliance plan” with annual system audits. [Full Story]

US – $90,000 Settlement in Connection with Laptop Theft

The state of Connecticut will receive $90,000 from EMC and Hartford Hospital after the 2012 theft of an unencrypted laptop with nearly 9,000 patient records was left unrecovered. “Resolving things by agreement was the best course for all involved,” an EMC spokeswoman said. “The agreement will, however, not be considered as an admission by EMC and the hospital of any alleged violations in connection with the laptop incident,” the report states, adding that while “the laptop was not found, the hospital has held that there hasn’t been any evidence of misuse of the information.” [PCWorld]

US – Comcast Resets Stolen User Passwords, Says Systems Not Breached

Account information for 200,000 Comcast customers was found for sale on the Dark Web. The telecommunications company says that its systems were not breached, and that it will reset the affected passwords. [Washington Post] [ZDNet] Meanwhile, “teenage hacktivist group” Crackas With Attitude (CWA)  leaked a list that they say contains the personal details of more than 2,000 government officials, a move that a member of the group “claimed … (was) in support of Palestine.” [Time]

Identity Issues

WW – Real Name Policy Revised by Facebook

Facebook has announced new policies regarding its “authentic names“ requirements after mounting criticism from civil rights groups like the American Civil Liberties Union and the Electronic Frontier Foundation. Facebook has pledged to permit users to “provide more information about their circumstances,” Facebook VP of Growth Alex Schultz said in a statement. “It will help us better understand the reasons why people can’t currently confirm their name, informing potential changes we make in the future.” Schultz also announced Facebook’s creation of “a new version of the profile reporting process that requires people to provide additional information about why they are reporting a profile,” which aims to curb trolls “falsely flagging profiles for using a fake name,” a burgeoning form of harassment. [The Guardian]

US – Duplicate SSN Nightmare Not a Rarity

Starting with two women who share a birthday, a similar name, state residency and social security number, the duplicate data phenomenon “is not as uncommon as you might think … In fact, some 40 million SSNs are associated with multiple people, according to a 2010 study by ID Analytics,” the report continues. As such, “you should be reviewing those reports to see if there’s activity associated with your identity that you don’t recognize,” said Tripwire’s Travis Smith. “Either of these women could probably have seen the problem earlier if they had been doing that.” [Computer World]

US – New Firm Promises Highly Targeted Election Ads

Xaxis Politics, the product of a WPP and Haystaq alliance, will employ targeted ads to get the attention of voters before the 2016 U.S. presidential elections. “We haven’t seen anyone else doing (online political targeting) with this level of granularity,” said Xaxis CEO Brian Gleason, who added that the tool permits “laser-like targeting” of voters. The system should be used wisely, analysts caution. If “Internet users perceive the tailored ads as too intrusive or creepy,” the report states, their use “could absolutely backfire,” said Borrell Associates’ Kip Cassino. [Financial TImes]

US – Anonymous Unhoods 1,000 KKK Members

Hacktivist group Anonymous made good on its threat to out the identities of Ku Klux Klan (KKK) members and sympathizers, releasing 1,000 names to the internet for netizens to do with as they will. “We hope Operation KKK will, in part, spark a bit of constructive dialogue about race, racism, racial terror and freedom of expression, across group lines,” Anonymous said. “We consider this data dump as a form of resistance against the violence and intimidation tactics leveraged against the public by various members of Ku Klux Klan groups throughout history.” [ZDNet]

US – OPM to Work to Make ID Protection a Basic Benefit

In its freshly published cybersecurity strategy, the Obama Administration encouraged the Office of Personnel Management (OPM) to include identity theft protection as a standard employee perk. The strategy “directs OPM within three months to review options and develop and deliver to (Office of Management and Budget) recommendations for making identity protection services a standard federal employee benefit,” and the OPM is listening. “Based on the response by individuals impacted by the personnel records incident there appears to be significant interest in these services by federal employees,” said an OPM spokesperson. “OPM continues to work with an interagency team to develop and deliver recommendations to OMB for making identity protection services a standard federal employee benefit.”[NextGov]

Internet / WWW

US – Hughes: Guidelines a Positive Step for OMB

The Office of Management and Budget (OMB) opened its revisions to guidelines for IT management, and while the inclusion of privacy training mandates garnered raised eyebrows from those in the IT field, some in the privacy community are impressed. The updates are a “sophisticated reflection on how privacy has evolved and arrived in today’s modern organization,” said IAPP CEO Trevor Hughes. These best practices mean that everyone who interacts with a company’s data “needs to understand enough about data management to not make a stupid decision,” he said. “Everyone who touches data is a risk factor with regard to privacy.” The OMB accepts comments on the revisions until November 20. [Gov Exec]

Law Enforcement

US – Supreme Court Won’t Hear Phone-Tracking Case; Lawmakers Want Answers on Gov’t Stingray Use

The U.S. Supreme Court has declined to hear a case on whether the government needs a warrant to collect cellphone location information. The case involves a man convicted of a string of robberies whose location was tracked via his phone. His lawyers argue that’s a violation of his privacy. Meanwhile, Rep. Jason Chaffetz (R-UT) has introduced a bill in the House of Representatives that would require law enforcement to obtain a warrant before using stingray surveillance, and a group of lawmakers—including Chaffetz—has sent a letter to 24 government agencies asking for their policies on using the technology. [ComputerWorld]

US – ACLU: Baltimore Riots Were Surveilled by Police Planes

According to documents obtained by the ACLU, the FBI deployed at least 10 flights of surveillance planes equipped with surveillance technology to monitor the riots in Baltimore, MD, earlier this year. Obtained under Freedom of Information Act filings, logs indicated more than 36 hours of flights—some of them carrying Baltimore police officers—occurred during the protests over the death of Freddie Gray while in police custody. During a Congressional hearing last week, FBI Director James Comey acknowledged the surveillance occurred upon request by local authorities but didn’t provide details on the permissions process. [Reuters]

US – New Bill Would Require Law Enforcement to Obtain Warrants Prior to Stingray Use

A new bill in US House of Representatives would require law enforcement to obtain warrants prior to using stingrays. The Cell-Site Simulator Act of 2015, also known as the Stingray Privacy Act, also requires transparency about the technology to be used by those seeking the warrant. The Justice Department has a policy in place requiring warrants for the surveillance technology’s use; this bill aims to extend that requirement to law enforcement at all levels in the country. [Wired]

Location

US – License Plate Reader Data Exposed

The Electronic Frontier Foundation learned that more than 100 automated license plate recognition (ALPR) cameras were exposed online. In some cases, the camera live streams could be accessed. ALPR systems capture images of license plates and alert authorities when they spot a plate on the “hot list.” The data are collected and stored even if they belong to cars that have nothing to do with criminal activity. [EFF]

WW – New Tor Chat Tool

Tor has launched a chat tool that lets people communicate over the Tor network and hide their locations. Tor Messenger uses encryption by default. It cannot log chats. Tor Messenger is currently available to the public in beta. [BBC] [Ars Technica] SEE also: [Tor Messenger Released]

Offshore

IS – Supreme Court Rules Against RTBF

The Israeli Supreme Court declined to implement a right to be forgotten under Israel’s privacy laws. The decision overturned an order by the Directorate of Courts, an agency overseeing court administration, to legal databases to prevent indexation of court decisions by online search engines, such as Google. The Directorate cited litigants’ right to privacy in cases ranging from family law to personal injury, including quoting the Court of Justice of European Union decision in the Costeja case. The Supreme Court weighed the balance between the right to litigants’ privacy against the public interest in open court records, holding that clear legislative mandate was required to limit access to judicial data. The ruling stressed that under the Directorate’s order, court records would remain accessible by lawyers who paid to subscribe to legal databases, unjustly handicapping members of the public who do not typically subscribe to such services and access court data exclusively through the open web. The Court suggested that the legislature could protect litigants’ privacy by requiring courts to suppress sensitive information in judgments and, in appropriate cases, publish cases under pseudonymous litigant names. The decision, HCJ 5870/14 Hashavim H.P.S. Business Data v. Directorate of Courts, in Hebrew, is available at the “Full Story” link. [Full Story]

Online Privacy

WW – New Privacy Settings Announced by Google

Google announced its addition of both an advanced “about me” page and Privacy Checkup system, which allows users to have greater control of their online privacy. The “about me” page collects the user’s online information and personal details in one space, from which he or she “can directly jump into each section and delete or change the information to control what people see,” the report states, while the “privacy checkup” takes the user on a “step-by-step tour of (his or her) privacy settings one section at a time.” Meanwhile, the 3rd U.S. Circuit Court of Appeals threw out the class-action suit that alleged Google had “violated federal wiretap and computer fraud laws by exploiting loopholes“ in Internet browsers. [CNET]

WW – Report: Six in 10 Don’t Download Apps Due to Privacy Concerns

A new Pew Research Center report looks at more than one million apps available in the Google Play Store and evaluates the kinds of permissions the apps require for use, according to a press release. The report found six-in-10 users decided not to follow through with a download once they realized how much personal data the app would collect, and 43%uninstalled the app after downloading it for the same reason. In addition, nine-in-10 users surveyed said knowledge of the kind of personal data an app collects is “very” or “somewhat” important to them in deciding whether to download. [Pew Research]

WW – Mozilla Releases Tracking Protection

Mozilla announced the release of a new feature in Firefox private browsing called “tracking protection.” The feature allows users to control the data third parties receive from them online. It blocks data-collecting content including ads, analytics trackers and social share buttons across sites. The feature also allows users to control data-collecting content on a per-site basis. [Full Story]

WW – IoT’s Unspoken Issue: MAC Addresses

Media access control (MAC) addresses present a severe privacy vulnerability in Internet of Things (IoT) devices, “anti-surveillance specialist” Adam Harvey argued at a Digital Catapult-hosted speech. “If we do this wrong we’re really screwed,” Harvey said. “The MAC address is such a big thing because so many devices use it. Anything with a networking card has a MAC address … We are about to manufacture and deploy billions of devices and we don’t even know what the problems are yet.” Potential manipulation is a concern. “If I were malicious,” he said, “I could construct a highly targeted phishing attack by saying, ‘I see you’ve been to the Grand Hotel, did you enjoy your stay there?’“ [Computing]

US – FCC Will Not Regulate Do-Not-Track Requests

The Federal Communications Commission (FCC) rejected a petition requesting it require companies to honor consumers’ do-not-track requests. The Consumer Watchdog petition wanted the FCC to “initiate a rulemaking proceeding requiring ‘edge providers’ (like Google, Facebook, YouTube, Pandora, Netflix and LinkedIn) to honor ‘Do-Not-Track’ requests from consumers.” The consumer advocacy group wanted the agency to use Title I and its Section 706 authority to regulate “information services.” The FCC said that when it reclassified broadband as a common carrier service, it would not “regulat(e) the Internet, per se, or any Internet applications or content.” [Ars Technica]

Other Jurisdictions

EU – New LIBE Committee Report on Data Protection in China

As part of a request by the LIBE Committee, the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs commissioned and released an in-depth analysis called “The data protection regime in China.” Co-authored by Prof. Paul de Hert and Vagelis Papakonstantinou, the analysis states, “One cannot talk about a proper data protection regime in China, at least not as it is perceived in the EU. The international data protection fundamentals that may be derived from all relevant regulatory instruments in force today … are not unequivocally granted under Chinese law.” The report also includes a list of policy recommendations for China. [Full Story]

EU – Microsoft to Open Data Centers Overseas

Microsoft announced it is creating two data centers in Germany, putting data out of the U.S. government’s reach. The facilities are controlled by T-Systems, a Deutsche Telekom subsidiary, which will be the “data trustee.” Microsoft employees won’t be able to access the data, which is significant, the report states, because “even though Deutsche Telekom has sizeable operations in the U.S., as a non-American company it is not legally subject to the same U.S. data-sharing rules.” Microsoft lawyers say the legal arrangements are “bulletproof” because if the company doesn’t even have keys to the building, “the U.S. government can hardly demand that it open the doors.” [Full Story]

EU – German Microsoft User Data to Be Stored in Germany

Microsoft will employ data centers in Magdeburg and Frankfurt, Germany, to hold the data of German customers after European critics conveyed surveillance fears. “These data centres will ensure that customers’ data remains in Germany and that a German company controls access to data in accordance with German law,” said Microsoft CEO Satya Nadella. “Microsoft sees cloud services as an opportunity for significant future growth as sales of its flagship operating system decline,” the report adds. [The Province]

RU – Russia to Force Twitter to Store Data In-Country

Russian authorities have allegedly told Twitter that it must store Russian users’ data in the country or face the potential of being blocked and fined. Russian Internet regulator Roskomnadzor issued the warning, even though in July it had said Twitter would not have to comply with Russia’s new data localization law. Roskomnadzor told Financial Times that the situation for Twitter has now changed. Roskomnadzor head Alexander Zharov said Twitter “changed their user agreement some months ago. And if you read that, people must provide a set of metadata, which in our understanding as a whole counts as personal data and allows to identify an individual.” [Radio Free Europe]

WW – Other Privacy News

The current opt-out-as-cybersecurity tack taken by the Senate regarding health records is “dangerously naïve” according to the Australian Privacy Foundation. It further alleges that the Senate “ignored expert advice by changing the e-health records to be opt-out,” the report states.

At the Chemical Watch Enforcement Summit, Dr. Knoell Consult’s Deirdre Lawler disclosed that select EU “data-sharing agreements … are being amended to allow companies in South Korea to use EU data to register chemicals’”

The Trans-Pacific Partnership’s full contents have been revealed, and advocacy groups like the Electronic Frontier Foundation are not impressed.

The Attorney-General’s Department has announced that the Australian government will soon issue an exposure draft of its data breach notification legislation.

In Serbia, the Commissioner for Information of Public Importance and Personal Data Protection has issued a press release that strongly criticizes a new draft Law on Personal Data Protection prepared by the Ministry of Justice, seeking “a greater degree of detail.,.

Indonesia could see its first comprehensive data privacy law “as soon as mid-February 2016,” according to the Ministry of Communications and Information.

Privacy (US)

US – 200 Companies Support Student Privacy Pledge

The Future of Privacy Forum (FPF) and Software & Information Industry Association together have announced that 200 companies have now agreed to support the Student Privacy Pledge. The pledge, which also has support from President Barack Obama, the National Parent Teachers Association and the National School Boards Association, is legally binding and can be enforced by the Federal Trade Commission and state attorneys general. “Companies that serve students understand that they must maintain the trust of parents, students and teachers,” said FPF Executive Director Jules Polonetsky. “Although many states are passing new laws to govern student privacy, the pledge plays a key role in setting a national standard for protecting student data and ensures companies are aware of the central restrictions in statutes such as FERPA and COPPA.” [Student Privacy Pledge]

US – FTC Complaint Against LabMD Dismissed

Seven years after the alleged data breach initially occurred, the FTC Chief Administrative Law Judge, Michael Chappell, ruled on Friday to dismiss the FTC’s complaint alleging that cancer-testing laboratory LabMD failed to provide reasonable and appropriate security for sensitive personal data. The case currently represents the first time a company has challenged an FTC complaint brought on the grounds of unreasonable information security and won. The FTC’s enforcement arm is considering whether to appeal. [Full Story]

US – Appeals Court Decision Could Reset Wiretap Act

Google’s recent victory in the 3rd U.S. Circuit Court of Appeals regarding how it used data and its relation to the Wiretap Act was won with a cautionary admonition from the court: “Merely tracking the URLs someone visits can constitute collecting the contents of their communications, and that doing so without a warrant can violate the Wiretap Act.” “This is a pretty big deal for law enforcement,” said Stanford’s Jonathan Mayer. “The punchline is that if the FBI or any law enforcement agency wants to look at your web history, they’ll have to get a warrant for a wiretap order,” he said. [Wired]

US – BBB Takes Companies to Task for Failing Privacy Scores

The Better Business Bureau (BBB) found advertising companies Outbrain and Gravity non-compliant with its privacy and advertising edicts after both organizations failed to attach the AdChoices informational label on advertisements as a form of “enhanced notice.” In response, Outbrain said “it was aware of some problems with its privacy notifications, and had already contacted the publisher of one site that incorrectly implemented the widget,” the report states, promising that it “will continue to take a proactive approach to privacy and disclosure compliance.” Gravity has also “since modified its widget.” [Media Post]

US – Study: MA Student Privacy Lacking

An American Civil Liberties Union of Massachusetts report found that student privacy is lacking, with policies that “allowed schools to inspect school-provided devices without any notice or consent of either the students or parents.” “These kids are going to be adults someday,” said the ACLU of Massachusetts’ Kade Crockford. “If they have learned in schools that they are not to be trusted, that they have no right to privacy … on the Internet or on their iPods or laptops or phones, they may very well believe that this is how things work.” [CSM Passcode]

US – Advocates Call for Data Broker Regulation

Experts at a Senate Judiciary Committee hearing called for regulation of companies that collect and sell massive amounts of consumer data. In opening remarks, Sen. Al Franken (D-MN), who has introduced a bill that would regulate data broker practices, pointed to the myriad data breaches in recent years as evidence that more must be done to protect citizens’ data. The World Privacy Forum’s Pam Dixon testified that it’s “reckless and downright dangerous” not to protect data stored by data-brokers, adding the danger of big data is “what data doesn’t exist can be inferred. It creates an extraordinary network of information flows about ordinary consumers.” [Courthouse News Service]

US – EFF Voices TPP Concerns

The Trans-Pacific Partnership (TPP) continues to garner criticism from privacy groups after the full text of the document was released last week. “We don’t want to see the Internet become balkanized,” said the Electronic Frontier Foundation’s (EFF) Maira Sutton. “But having these discussions decided in a trade agreement is exactly the wrong place to do it. There’s been no security researchers at the table, no public interest groups that have been following this for a long time … trade agreements are not the place to decide digital policy.” [The Hill]

US – Privacy Groups Nonplussed by TPP

The Trans-Pacific Partnership’s (TPP) full contents have been revealed, and advocacy groups like the Electronic Frontier Foundation (EFF) are not impressed. The TPP “upholds corporate rights and interests at the direct expense of all of our digital rights,” the EFF said. Of particular concern is “provisions in the agreement that require real names and addresses associated with Internet domains such as .us, .ca or .au to be registered with the home government,” the report states. “This is dangerous especially for the ability of opposition groups in repressive countries to voice their concerns online without fear of violent retribution,” Fight For the Future (FFTF) said. President Barack Obama fired back, arguing that “if we don’t pass this agreement—if America doesn’t write those rules—then countries like China will.” [Full Story]

US – Washington Announces Privacy Guide for Residents

Washington State Gov. Jay Inslee has announced a new digital privacy protection guide and website to help state residents be aware about cyber privacy, protecting personal data online and the state’s data collection policies and practices, according to a press release. The state’s new website and privacy guide gives residents tips and strategies. Chief Privacy Officer Alex Alben said he hopes both give “citizens a fuller sense of both personal privacy rights and of the state’s commitment to ensuring our state government does everything in its power to safeguard personal data.” [Full Story]

US – Twitter Moves to Dismiss Link Lawsuit

Twitter fires back after a proposed class-action lawsuit alleges the company “surreptitiously eavesdrops on its users’ communications.” Plaintiffs argue that Twitter’s link shorthand has “traffic directed through its own system so as to negotiate better advertising rates,” a practice they argue is illegal under the Wiretap Act. Twitter argues in its motion to dismiss that its methods are “routine business conduct” that aim to “prevent spam and malware,” that the action requires the consent of users and that the process is outlined in its terms of service and privacy policy. [The Hollywood Reporter]

US – Other Privacy News

Google’s recent victory in the 3rd U.S. Circuit Court of Appeals regarding how it used data and its relation to the Wiretap Act was won with a cautionary admonition from the court: “Merely tracking the URLs someone visits can constitute collecting the contents of their communications, and that doing so without a warrant can violate the Wiretap Act.“.

In a bipartisan letter to the Centers for Medicare and Medicaid Services, senators ask tough healthcare privacy questions, expounding on their frustrations regarding the numerous healthcare data breaches of late and outlining questions they have for the future.

Prosecutors say they know who hacked JPMorgan Chase last year . The three men responsible were indicted for separate crimes in July but are also responsible for the hack affecting 83 million customers’ personal data.

An amicus brief on the Lewis v. Superior Court of Los Angeles County case indicates that the ruling could have significant privacy implications,. The legal proceedings aim to decide if the California Medical Board “infringed upon patients’ constitutional right to privacy when it obtained prescription data without a showing of good cause.”

The U.S. Supreme Court has declined to hear a case on whether the government needs a warrant to collect cellphone location information. The case involves a man convicted of a string of robberies whose location was tracked via his phone.

The Federal Communications Commission’s (FCC) Enforcement Bureau entered into a $595,000 settlement with Cox Communications for failing to adequately protect the personal data of its subscribers when the company’s system was breached in 2014, according to an FCC press release.

Sen. Al Franken (D-MN) has said he will reintroduce a bill that would ban stalking apps.

Privacy Enhancing Technologies (PETs)

WW – Yik Yak as Anonymous as It Seems?

Arrests tied to racially fueled threats posted on social media app Yik Yak have called the platform’s boasts of anonymity into question. The app is considered to be “by far the most widely adopted, anonymous, location-based applications at schools,” the report states. According to Yik Yak’s policies, however, it “can disclose to police each user’s Internet protocol address and GPS coordinates, along with details about the phone or tablet,” the report continues. While a spokesperson for the company would not disclose specific information about the frequency with which authorities ask for Yik Yak data, she acknowledged “the company works with authorities” and that in times of emergency the company doesn’t require the usual legal license to access data. [NBC News]

US – ROI Calculator Aims to Break Down Automation Worth

TRUSTe unveiled its return on investment (ROI) calculator for those unsure if bankrolling in “privacy automation technology” is the right step for their company, the organization announced in a statement. On TRUSTe’s www.privacy-automation.com, “visitors can read up on privacy assessment best practices or guidelines for evaluating privacy automation ROI,” as well as access the ROI calculator. The tool has “default values for each field based on our own research but each field is customizable so that users can tailor the ROI calculations to their own use case.” [Full Story]

WW – New Risk-Assessment Tool Released

Privacy Analytics has released a privacy-risk assessment tool to help organizations evaluate their data-sharing practices, according to a press release. Risk Monitor identifies gaps in existing practices and uses peer-reviewed algorithms and methodologies to look at organizations’ current risk for exposing personal health information or personally identifiable information based on “the context and intended use of each shared data set.” Pamela Neely Buffone, vice president of product management at Privacy Analytics, said organizations are looking to maximize the usefulness of their data assets and need to have “responsible privacy measures” to ensure compliance and “the lowest possible levels of legal, financial and reputational risk.” [Full Story]

RFID / IoT

US – UMass Awarded Grant To Study “Smart Building” Privacy

The National Science Foundation granted the University of Massachusetts Amherst $486,524 for a research project aimed “to enhance privacy in smart buildings and homes,” the university announced in a statement. “It’s very easy to know whether someone’s home or not by following energy use data, so that might be considered sensitive information,” said the University’s David Irwin, one of the project directors. “On the other hand, energy companies can save you money by knowing that same information. They can charge you less for electricity in off-peak hours, for example. One thing we’ll be studying is how to preserve individual privacy while still allowing utilities to improve their operations.” [Full Story]

Security

WW – Study Aims to Eradicate the Password

Tech companies Galois, Inc., its subsidiary Tozny, GlobeSherpa and IOTAS have united to develop an alternative to the password, a project the National Institute for Standards and Technology so believes in that it awarded Galois $1.8 million for its work. The goal is to build “a behavior-based authentication system dedicated to finding a happy medium between the need to validate users while also guarding their privacy,” the report states. It would permit “new ways for user information to be shared across organizational boundaries in a way that the user is in control over how the data (is) shared, what is shared, with who and when,” said Tozny founder Issac Potoczny-Jones. [FedScoop]

US – Audit Again Finds IRS Security Lacking

A Government Accountability Office audit found the Internal Revenue Service’s (IRS) security systems to be flawed enough to put taxpayer information in danger, the second recent study to produce negative results. The audit discovered that the agency “doesn’t have sufficient control over its financial reporting system,” with some systems without an update in four years, the report states, adding that the auditors discovered vulnerabilities that the IRS itself hadn’t unearthed. In response, IRS Commissioner John Koskinen acknowledged that “challenges remain,” but said the agency had “established its ability to consistently produce accurate and reliable financial statements.” [NextGov]

US – Study: Not One U.S. State Prepared for Cyber Threats

A study by the Pell Center for International Relations and Public Policy at Salve Regina University found a “troubling lack of preparedness to deal with cybersecurity threats among a vast majority of state governments.” While all 50 states are forging ahead and investing in improvements to broadband communications, none of them “managed to meet all the evaluation criteria that Pell used to measure their cyber readiness,” said Francesca Spidalieri, senior fellow for cyber leadership. The study looked at whether each state had a cybersecurity plan, formal incident response capabilities, data breach notification and threat-information sharing mechanisms, the report states. [DARKReading]

Survey Finds Business Unprepared for Hacks

A new ISACA survey of 600 individuals in the cybersecurity fields found that while 74% were expecting to be hacked, only 67% felt “prepared to respond.” Cyberattacks in the form of advanced persistent threats (APT) “have become the norm,” said ISACA CEO Matt Loeb. “All organizations, regardless of their size, where they’re located or what industry they’re in, have to be prepared to deal with these things … There isn’t anybody that isn’t vulnerable. So when we talk about these things, it’s not a matter of if I’m going to be attacked, it’s a matter of when.” [Associations Now]

US – Conficker Found on Police Body Cameras

There are reports that malware known as Conficker has been found on police body cameras supplied by Martel Electronics. When the cameras were connected to computers, Conficker immediately tried to infect the machines. Once it had infected a machine, it tried to spread to other machines on the same network. Conficker was first detected in late 2008. [Ars Technica] [The Register] [ZDNet]

WW – Covington: Effective Log Management Can Prevent Breaches

In a blog post, Robert Covington discusses “the importance of good log management to prevent data breaches.” Covington cites such regulations as the Gramm-Leach-Bliley Act, Sarbanes Oxley, HIPAA and the Federal Information Security Management Act as all containing provisions on log requirements. But it’s not an easy thing to do, Covington writes. It requires sifting through a lot of records to find the ones that matter, and, in addition, for logs to matter during a forensic investigation, there have to be proper controls ensuring logs can’t be altered or deleted. Covington offers tips on how to be effective given the inherent headaches. [Computerworld]

WW – NIST Issues Advice on Whitelisting

The US National Institute of Standards and Technology (NIST) published the Guide to Application Whitelisting to help organizations implement the technology. Whitelisting is the number one mitigation on both the NSA’s Top Ten and the Australian Signals Directorate’s Top Four Strategies to Mitigate Targeted Cyber Intrusions. [NextGov] [ComputerWorld] [The Register] SEE ALSO: http://www.asd.gov.au/publications/protect/application_whitelisting.htm

Surveillance

US – Federal Judge Rules NSA Program Illegal; Transition Will Happen

A federal judge has ruled that the NSA bulk collection of U.S. citizens’ phone records is illegal. The impact of the ruling, however, will be limited because the USA FREEDOM Act, which mandates a change to the NSA program, takes effect on November 29. U.S. District Court Judge Richard Leon sided with legal activist Larry Klayman, stating, “This court simply cannot, and will not, allow the government to trump the Constitution merely because it suits the exigencies of the moment.” Meanwhile, in a memo sent to relevant committees in the U.S. Congress, the NSA stated that it “has successfully developed a technical architecture to support the new program” in time for the November 29 deadline. [The Wall Street Journal] [The Hill] [Wired] [DC Judge Richard Leon’s opinion] [The Register] SEE ALSO: [James R. Clapper, Director of National Intelligence v. Amnesty International USA – Appeal – Supreme Court of the United States]

WW – Inaudible Sounds Being Used to Track Users Across Multiple Devices

High-frequency sounds are being used to track people’s behavior across multiple devices. The sounds, which are inaudible to humans, are embedded in television commercials and online advertisements. Tablets and smartphones detect the sounds. The US Federal Trade Commission (FTC) held a Cross-Device Tracking workshop on Monday, November 16, to address the issue. [Ars Technica] [FTC.gov]

US – Immigrant Ankle Bracelets Unwelcome

After a federal ruling found President Obama’s detention of undocumented immigrants to be illegal, the solution was to release the detainees and keep tabs on them via ankle bracelets, a choice that detractors argue is “not only stigmatizing, but also unnecessary.” While the government maintains that the monitors are “an economical alternative to detention,” those who wear the bracelet see it less of a cheap fix and more of an unwelcome Big Brother. “It’s like they make us free, but not totally free,” said Grace, an immigrant forced to wear the monitor. “It’s the same psychological game as detention. They aren’t freeing us totally. It’s, ‘If you break a rule, if you don’t tell us you’re leaving, we’ll put you in detention again.’” [The New York Times]

US – Biggest Breach of Attorney-Client Privilege in U.S. History?

The Intercept revealed it has received a massive trove of phone recordings from prisons and jails across the U.S. Obtained anonymously from a hacker via SecureDrop, the materials comprise more than 70 million records of phone calls and links to recorded conversations, placed by inmates to at least 37 states between December 2011 and ending in the Spring of 2014. The data was taken from the country’s leading provider of prison phone services, Securus Technologies. Highlighted in the breached material are approximately 14,000 recorded conversations between inmates and their attorneys, “a strong indication that at least some of the recordings are likely … privileged legal communications,” the report states. “This may be the most massive breach of the attorney-client privilege in modern U.S. history,” said ACLU National Prison Project Director David Fathi. [Full Story]

Telecom / TV

US – Vizio Sued Over Smart TV Data Collection, Sharing

A class-action lawsuit has been filed against Vizio “alleging that its use of data from smart TVs violates both federal and California state law.” The suit alleges Vizio doesn’t sufficiently protect the data it collects and shares via users’ smart TVs, in violation of the Video Privacy Protection Act. The suit also claims the company misled users about the way in which the collected data would be used. The suit follows news a hacker was able to gain access to a user’s home network via a Vizio smart TV. Vizio has not yet commented on the suit. [Consumer Reports]

US – TV, IP Address Tracking Product Raises Privacy Concerns

A report from ProPublica raised privacy concerns about television maker Vizio’s consumer-tracking policies, including its ability to track viewing habits and share such data with third parties to gain a larger picture of what those consumers do on their mobile devices. Vizio’s “Smart Interactivity Program” is the default for approximately 10 million users and combines viewing behavior with the user’s IP address. A Vizio spokesperson said that the company’s mining program is part of a “revolutionary shift across all screens that brings measurability, relevancy and personalization to the consumer like never before.” The company also said it shares “aggregate, anonymized data” with third parties to “make better-informed decisions” about content and advertising, the report states. [The Washington Post]

US Legislation

US – Bill Pushes for Auto Cybersecurity Frameworks

Rep. Ted Lieu (D-CA) introduced the Security and Privacy in Your Car Study Act of 2015, a bipartisan bill that would mandate the National Highway Safety Transportation Administration conduct a study to help determine “framework recommendations for vehicle cybersecurity” over the course of a year. “Americans have a right to drive cars that are safe and protected from hackers. Frankly, without adequate protections, a hacker could turn a car into a weapon,” Lieu said. The act “is a first step in bringing industry, advocates and government together to strike a balance between innovation and consumer protection to ensure that car navigation, entertainment and operating systems are safe and the data gleaned from such systems kept private.” [Fed Scoop] See also: [Ford: Car Data is “Your Data”] [

US – Insurance Company Releases Data-Collecting Driving App

In 2014, Allstate Insurance developed a usage-based insurance program to collect data on users’ driving behaviors. It says 820,000 customers participate in “Drivewise” and has now launched Drivewise Mobile, which collects the same kind of information—breaking, speed, etc.—making it the first major insurer to collect such data through a smartphone app. Allstate’s Ginger Purgatorio, vice president of the Drivewise program, says while the company had to deal with privacy concerns on data collection, customers are now accustomed to companies collecting their data if it means a benefit to them. “They’re willing to provide information to get that value,” she said. [CSO Online]

US – Franken Reintroduces Ban on Stalking Apps

Citing a Good Morning America report on “apps that can secretly track your every move“ Sen. Al Franken (D-MN) has said he will reintroduce a bill that would ban stalking apps. “My commonsense bill will help a whole range of people,” he said in a statement, “including survivors of domestic violence.” The Location Privacy Protection Act would require apps to obtain consumer permission before collecting location data and would require consent before location data is shared with a third party. [Broadcasting & Cable]

US – Other Legislative News

A Florida legislator has proposed a new law that would provide recourse for victims of drone accidents, allowing them “to recover costs from the owner and operator of a drone if the device ‘was a substantial contributing factor’ in causing the damage.”

The U.S. House Energy and Commerce Health Subcommittee has advanced a mental health reform bill that would alter HIPAA to allow “caregivers and family members to have more information about a mentally ill person’s care.”

U.S. Rep. Jan Schakowsky (D-IL) has submitted a bill to create federal data security standards in hopes that the recent U.S.-EU Safe Harbor invalidation “will spur Congress to action.”

Florida lawmakers have submitted a new batch of privacy legislation that would create exemptions to public records law, “ranging from topics involving substance abuse to cell-phone tracking’”

Maine’s drone privacy law has been in effect for a month.

+++

 

01-15 October 2015

Biometrics

EU – French: Fingerprints, Facial Scans, Should be Required at EU Border

French authorities want fingerprint and facial scans of everyone entering or leaving the EU. The proposal from the French delegation came as the European Commission puts more pressure on interior ministers to adopt its so-called “smart borders” package. The Commission plan is to set up a digital dragnet to monitor all non-EU nationals entering and exiting the EU. According to the Commission, the programme is needed to deal with a huge increase in people coming to and from the EU. It predicts that air border crossings could increase by 80% to 720 million in 2030. “This will result in longer queues for travellers if border checking procedures are not modernised in time,” warns the Commish document. But hot on the heels of their own version of the Patriot Act, France (PDF) wants to “broaden the scope of the smart borders package for all travellers, also including European nationals”. The scheme was first proposed two years ago, but has been revived along with other security surveillance schemes such as PNR. Currently border checks for the Schengen area are based on passport visa stamps. There is no pan-European database recording travellers’ entries or exits. This makes it difficult for authorities to detect “overstayers” says the Commission. [The Register]

WW – Facial Recognition Coming to ATMs

China Merchant Banks are employing facial recognition software in nine Shenzhen-based ATMs, phase one of a project that aims to install the system in 12,000 ATMs across the country by the end of the year. While facial recognition is just a part of a three-step verification process, critics are worried that the technology could still permit privacy gaffes to occur. Will the software mean “identical twins can access each other accounts easily?” asked one detractor on Weibo. The privacy concerns haven’t stopped other organizations, however, with companies like Alibaba and MasterCard set to unveil their own facial-recognition systems for finance-related ventures, the report states. [South China Morning Post]

CA – Royal Bank Adopts Voice-Recognition Technology to ID Customers

Following a pilot program last summer, Royal Bank (RBC) is rolling out “voice biometrics” technology. The service, which will require customers to opt in, will allow the bank to identify customers by the sound of their voice rather than by answering security questions or entering a password. RBC says it’s the first company to implement such a technology, which uses more than 100 characteristics to identify the customer, such as pitch and accent, the report states. Manulife employed a similar technology earlier this year. “It’s easy to pick up a piece of mail and look at someone’s confidential information, but you can’t steal a voice,” said a Manulife executive. [The Canadian Press]

US – Dismiss Our Biometrics Suit, Facebook Asks

Facebook has asked U.S. District Court Judge James Donato to dismiss a suit alleging its photo-tagging service violates biometric privacy laws. “The social networking service argues that the Illinois Biometric Information Privacy Act doesn’t prevent companies from storing photos of faces or information gleaned from those photos,” the report states. Facebook contends the law “only applies to faceprints that derive from in-person scans as opposed to photos,” the report continues. “Because plaintiffs’ claims rest entirely on information derived from photographs, their complaint should be dismissed with prejudice,” Facebook said in its filing papers. [Media Post]

WW – Facial-Recognition Regulations Considered; Researchers Unveil “Climb”

The Home Office “is considering increasing the regulations for retention of face recognition records.” The Home Office announced it is “undertaking a policy review of the statutory basis for the retention of facial images and consulting key stakeholders,” adding it is “considering the role of the Biometrics Commissioner. The government will of course publish the findings of the review and consult formally as appropriate.” Meanwhile, researchers from Cardiff University, the University of Warwick, Swansea University and the University of Birmingham have created “Climb, the Cloud Infrastructure for Microbial Bioinformatics“ that permits other scientists to share genomic information more safely. [Biometric Update] SEE also: [Start-Up Selling Eye-Tracking Technology to Major League Baseball]

Big Data

CA – Group to Study Data Collection

Researchers are getting ready to study “what information is being collected about Canadians and what it’s being used for, saying the public remains largely in the dark on the mass accumulation of personal data.” Queen’s University’s Surveillance Studies Centre will lead the five-year project to study the use of big data, the report states, noting the BC Office of the Information and Privacy Commissioner, Civil Liberties Association and the University of Victoria are among the project’s partners “Citizens have questions about how big data is being used by police, by political parties, in healthcare, education, social services and in other areas that touch their lives,” BC Privacy Commissioner Elizabeth Denham noted. “This project will probe big-data surveillance and analyze its scope, effectiveness and implications.” [The Globe and Mail]

EU – Agencies to Study Banks’ Big Data Use

The European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority will have their eyes on how banks employ big data in the coming year after expressing concern regarding not only the current utilization of information and its privacy impact but also its potential “to discriminate against certain sections of the population in so-called profiling.” The agencies will study the “opportunities and challenges” that come with employing big data. “The topic aims to analyze the adequacy of sectoral regulatory frameworks and identify any regulatory and/or supervisory measures which may need to be taken,” the groups said in a joint statement. [Reuters]

Canada

CA – Ontario Judge to Hear Telcom v. Police Case

An Ontario judge will soon rule on a consumer privacy case “that pits telecom companies against police departments.” In April, Peel Regional police obtained a production order for customer information from “all cellphones that accessed 36 cell towers owned by Rogers and Telus during a specific time frame,” the report states. While police said they needed the records to find a suspect, Rogers and Telus say the production order violates the Canadian Charter of Rights and Freedoms. Police since have withdrawn the order, however the judge wants to hear the case because of an uptick in similar cases. [Toronto Star]

CA – Saskatchewan Changes Privacy Rules

After a care aide’s employment record was sent to reporters, Saskatchewan is making changes to its privacy rules. As a result, politicians will have to adhere to a new code of conduct that aims to ensure compliance with the province’s privacy act, and they will need to get written consent to “collect, use or disclose someone’s personal information or personal health information,” the report states. Previously, the Freedom of Information Act “didn’t technically apply” to members of the legislative assembly (MLAs), said Saskatchewan Party MLA Jeremy Harrison. Violators of the code could be charged with contempt, face a fine or be removed from the assembly for the day or the house indefinitely. [The Canadian Press]

CA – Yukon Government Developing New Privacy Rules for Health Records

The Yukon government is looking for input on who should have access to your personal health care records, and how accessible they should be. The government is working on new regulations focussed on managing and protecting health files. The new rules would fall under the Health Information Privacy and Management Act, passed in 2013 but not yet in effect. [CBC News]

CA – Critics Raise Data Privacy Concerns in Trans-Pacific Partnership Deal

Critics say Canadians need to see the full text of the Trans-Pacific Partnership (TPP) trade deal to know the privacy trade-off. “We’re dealing with just summary documents. The devil is in the details,” said law professor at the University of Ottawa, Michael Geist. The deal includes provisions to protect the “free flow of information across borders” and “prevents governments in TPP countries from requiring the use of local servers for data storage,” the report states, which Geist finds particularly concerning. [CBC News] [Geist: How the TPP Puts Canadian Privacy at Risk] [Geist: How the TPP may put your health care data at risk: Geist]

CA – Questions Raised Over Preserving Sensitive Truth and Reconciliation Testimony

After years of collecting literally millions of documents and hearing the stories of thousands of aboriginal people who experienced abuse at residential schools, the Truth and Reconciliation Commission is ready to archive this material, much of it brutal and heartbreaking, in the new National Centre for Truth and Reconciliation at the University of Manitoba. Scheduled to open to the public this fall, it will serve as a rich repository and essential historical record of a haunting and tragic chapter of First Nations and Canadian history. Controversy has arisen, however, over whether survivors’ testimony, given privately by those seeking compensation for the abuse they suffered, should be preserved. It came as a shock to many who told their stories – confidentially, they believed – to adjudicators behind closed doors that their words might be preserved for posterity. Some argued against this scenario in an Ontario court last year. Justice Paul Perell ruled that the material from the Independent Assessment Process may be kept for 15 years but, in the meantime, identifying information must be redacted and those who testified be contacted to ask whether they would agree to have the documents remain in the archive; only with this agreement could individuals’ testimony be preserved beyond 15 years. Any other scenario would be a betrayal of survivors’ trust and detrimental to the cause of reconciliation, Justice Perell argued. Some see the ruling as a reasonable compromise but the NTRC launched an appeal, to be heard in court at the end of October. The centre wishes to preserve the documents and argues that it is well-placed to do so as an aboriginal-run organization mandated by the Truth and Reconciliation Commission. [University Affairs]

CA – Retired Mounties Sue RCMP Over Disclosure of Mental Health Records

A class action lawsuit filed in Vancouver alleges that the RCMP has breached the privacy of a number of Mounties by wrongfully disclosing their mental health records. The suit says that the disclosure of the records in 2012 was done to undermine the work of Dr. Michael Webster, a longtime RCMP psychologist who had treated the officers and who has been outspoken in the past on RCMP issues. Several retired Mounties, members of a group that represents about 2,300 officers across Canada, held a press conference outside the Vancouver Law Courts to explain the lawsuit. They told reporters that currently employed officers are afraid that if they speak out, they might be disciplined by their superiors.”The wrongful disclosure of our members’ mental health records undermines the trust and confidence members must have in our employer, to ensure that mental health supports can be accessed privately.” The suit says that in July 2012, the RCMP removed Webster from its list of approved registered psychologists and a month later initiated a complaint against him with the College of Registered Psychologists. It says the college requested the RCMP disclose complete copies of a number of Mounties who had been treated by Webster. The records were disclosed without notification to the officers and in violation of their privacy, says the lawsuit. A complaint filed against the RCMP with the Office of the Privacy Commissioner of Canada resulted in the commissioner finding that there had been a serious breach of privacy. [The Province]

CA – Ring Wants Controversial Report Released

Newfoundland and Labrador Information and Privacy Commissioner Ed Ring wants to make public a government sexual-exploitation study. The government says the 2011 report, It’s Nobody’s Mandate and Everyone’s Responsibility: Sexual Exploitation and the Sex Trade in Newfoundland and Labrador, was “based on interviews with sex workers and vulnerable individuals who could be put in danger if it was released publicly.” However, if it intends to keep the report under wraps the government will now have to go to court. Ring wrote in his review, “Public bodies cannot rely on speculation that harm might take place but must establish a reasonable expectation,” adding that identifying information should be blacked out as opposed to repressing the entire report. [The Telegraph]

CA – Denham Calls for Better Breach Protection

BC Information and Privacy Commissioner Elizabeth Denham “is calling for immediate action by provincial health authorities to boost measures that safeguard citizen’s health information in the absence of disclosure laws,” noting all provinces and territories except BC, Saskatchewan and Quebec “have legislated or incoming requirements that order health authorities to reveal the inappropriate release of private information.” Denham said, “It’s not in place here yet. It’s a problem.” Meanwhile, a breach affected University of Calgary employee records, and The Trump Hotel Collection has announced that point-of-sales systems at seven of its hotels in the U.S. and Canada “were infected with malware, potentially affecting an unspecified number of customers.” [Global News]

CA – Are Political Parties Violating CASL?

Via their email campaigns, “Canadian politicians may be violating Canada’s Anti-Spam Legislation (CASL), the very law they helped enact.” Citing a study from Toronto-based itracMarketer, an email marketing and CASL compliance software provider, the report suggests, “Canadian politicians may need a more compliant marketing staff because every political party failed at providing clear consent and permissions on their email collection pages.” The study looked at the country’s four major political parties’ email marketing, the report states, noting examples of CASL violations itracMarketer found include “not having a clear unsubscribe process, failure to explain the type of content they would send to potential subscribers and not providing a physical address on email collection pages.” [MediaPost] SEE ALSO: [Where the Parties Stand on Surveillance, Privacy] [Where Canada’s Three Political Parties Stand on Cybersecurity and Surveillance] [Election selfies are encouraged, but take them outside polling stations: Posting a photo of a completed ballot could land you in jail] [Green Party (Kris Constable) Views on Enhancing Security Against Cyber Attacks]

CA – Other Privacy News

Consumer

WW – Uptick in Privacy Products Indicate Citizen Concerns

Average citizens are increasingly out to protect their own privacy given Canada’s Bill C-51, which allows for an increased amount of information to be collected by government. As a result, product designers are creating anti-surveillance items. That trend was recently on display in London at the Victoria and Albert Museum, which focused on “objects that both encourage sharing information online (such as the selfie stick) and block it (such as the Cryptophone 500, a military-grade mobile with the highest security standards on the market … ),” the report states. The London exhibit is just one example of many new products to hit the market. [The Globe and Mail]

Electronic Records

US – Privacy Concerns Decline as Patients Acclimate to EHR Systems

Patients whose doctors use electronic health record systems are increasingly confident that their health information will remain private and secure, Weill Cornell Medical College researchers found in a new longitudinal study, published Oct. 5 in the American Journal of Managed Care. While electronic health record systems have been around since the early 2000s, they became more prevalent when the federal government began offering providers incentives to adopt the technology in 2009. To measure consumers’ perspectives on electronic health records, the researchers collected data through a random-digit-dial national telephone survey that polled about 1,000 people a year between 2011 and 2013. Some 41% of respondents were worried that electronic health records would lessen the privacy and security of personal health data in 2013, compared to 47.5% in 2011. While the 6 percent decrease is a good start, Dr. Ancker continued, the study also demonstrates that, through improved security and education, more work has to be done to sufficiently address patients’ worries. “New things make people anxious,” she said. The data also shows that there is a need to better educate patients about how electronic records work, as well as how they can improve the patients’ healthcare. [weill.cornell.edu]

US – Researchers Re-Identify 100% of ‘Anonymised’ Health Data

Researchers from Harvard University have published a paper claiming a 100 per cent success rate in de-anonymising patients from their supposedly anonymised healthcare data in South Korea. The study, which bears the ronseal title of “De-anonymizing South Korean Resident Registration Numbers Shared in Prescription Data”, was published this week in Technology Science. Two de-anonymisation experiments were conducted in the study on prescription data from deceased South Koreans, with encrypted national identifiers – Resident Registration Numbers (RNN) – included. The researchers found significant vulnerabilities in the anonymisation process which is applied to identifiers contained within prescription data, data which is often sold to multinational health companies. Finding that “weakly encrypted RRNs” may be vulnerable to de-anonymisation, both experiments were 100 per cent successful, and revealed all 23,163 of the unencrypted RNNs. [The Register] [US – New Coding System Intrudes on Patients’ Privacy, Forces Doctors to Focus on Codes Rather Than Care]

CA – Group Health Centre Debuts Online Patient Portal

Sault Ste. Marie is now one of only a handful of cities in Canada where patients can access essential health information through an online portal, after the Group Health Centre launched its myCARE portal earlier this week. The system allows patients to send messages to their healthcare team, request prescription renewals, manage appointments, review select lab test results, and more through a home computer, eliminating the need to make a visit to the centre for these needs. GHC is now one of two centres in Canada – the other being CHEO in Ottawa – that has this specific technology available for patients. [Sault Ste Marie Star]

Encryption

US – White House Will Not Demand Back Doors for Access to Encrypted Data

The White House has decided not to pursue policy urging technology companies to build backdoors into their encryption systems despite law enforcement and intelligence agencies’ vocal assertions that the backdoors are necessary. They will still be able to pursue data with warrants. [CSMonitor] [TechCrunch] [ComputerWorld] [SCMagazine] [Ars Technica] See also: [Wired: A New Way for Tech Firms to Fight Orders to Unlock Devices]

US – Federal Judge Wants to Bring Encryption Debate to Courts

A federal judge in New York is seeking to expand the debate surrounding law enforcement access to encrypted communications technology. Magistrate Judge James Orenstein has suggested he would not issue an order sought by the government compelling Apple to unlock a suspect’s iPhone, the report states. Prior to ruling on the case, Orenstein asked the company to explain whether the government’s request would be “unduly burdensome.” According to the report, the judge may have chosen the wrong case to issue such a question, as the suspect’s phone is an older version that can be accessed by Apple. “He’s clearly a judge who is interested in opening topics to discussion in the judiciary, but he also thinks the larger public should know about the debate,” said former Texas Magistrate Judge Brian Owsley. [The Washington Post] SEE ALSO: [Discordant Encryption Attitudes Bring Policy-Making Woes]

US – Back Doors Are Not Necessary to Circumvent Encryption

Andy Greenberg writes, “Encryption usually doesn’t keep determined cops out of a target’s private data. In fact, it only rarely comes into play at all.” Of the 3,554 wiretaps reported in 2014, just 25, or 0.7% encountered encryption. And of those 25 cases, investigators were able to circumvent encryption 21 times. [WIRED] See also: [Apple Removes Apps that Install Root Certificates | Apple Support | iMore]

EU Developments

EU – Court of Justice Declares Commission’s US Safe Harbour Decision Invalid

Court of Justice of the European Union, PRESS RELEASE No 117/15, Luxembourg, 6 October 2015

Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity

The Data Protection Directive1 provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data.

The directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Finally, the directive provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive (‘national supervisory authorities’).

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of

26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme,3 the United States ensures an adequate level of protection of the personal data transferred (the Safe Harbour Decision).

The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

In today’s judgment, the Court of Justice holds that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. The Court stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and the task with which the national supervisory authorities are entrusted under the Charter.

The Court states, first of all, that no provision of the directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission decision. Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive. Nevertheless, the Court points out that it alone has jurisdiction to declare that an EU act, such as a Commission decision, is invalid. Consequently, where a national authority or the person who has brought the matter before the national authority considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the Court of Justice if they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court of Justice which has the task of deciding whether or not a Commission decision is valid.

The Court then investigates whether the Safe Harbour Decision is invalid. In this connection, the Court states that the Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter. The Court observes that the Commission did not make such a finding, but merely examined the safe harbour scheme.

Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

The Court considers that that analysis of the scheme is borne out by two Commission

communications,4 according to which the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.

As regards a level of protection essentially equivalent to the fundamental rights and freedoms guaranteed within the EU, the Court finds that, under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use. The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.

Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.

Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.

For all those reasons, the Court declares the Safe Harbour Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’

complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

EU – ECJ: Safe Harbor “Invalid”

In a much-anticipated decision, the European Court of Justice (ECJ) was very straightforward in announcing that it has sided with Austrian law student Max Schrems, agreeing with his argument that the U.S. National Security Agency’s PRISM mass surveillance program, unveiled by Edward Snowden, makes the European Commission’s finding of U.S. adequacy for personal data transfer with the Safe Harbor mechanism “invalid.” Immediately, the privacy community began to react—including Schrems himself. [Full Story] See also: [Edward Snowden Says He Would Go To Jail to Come Back to The U.S.]

EU – ‘Safe Harbour’ Data Ruling Leaves U.S. Companies in Legal Limbo

A recent court ruling may boost the European Union’s efforts to reassert authority over how its citizens’ data is being treated and pressure other countries into creating privacy laws that are considered more equitable across borders. U.S.-based internet companies like Facebook, Amazon and Google are now likely scrambling to determine if they need to change their European operations after a judge in the European Union’s highest court ruled that the agreement allowing them to transfer data to the United States violates Europeans’ rights. [CBC News] SEE ALSO: [An Interview with the ECJ’s New President] [Safe Harbor Ruling Symptom of Global Surveillance Discord] [US – Post-Safe Harbor, Senators Push for Judicial Redress Act] and [Regan: Will Schrems Case Ultimately Hurt Europeans’ Privacy?]

EU – European Commission Faces Parliament Ire; Safe Harbor Questions Persist

European Commission leadership suffered the “slings and arrows” of a European Parliament unhappy with the institution’s handling of the now-invalidated Safe Harbor agreement. Parliament’s LIBE Committee also met this week and asked the Commission why Safe Harbor lasted 15 years. Meanwhile, Georgia Institute of Technology Prof. Peter Swire writes for Privacy Perspectives on the legal paths to move forward, and Denis Kelleher suggests that UK Information Commissioner Christopher Graham’s advice not to panic over Safe Harbor is the right advice for now. And in an interview withviEUws, European Data Protection Supervisor Giovanni Buttarelli shares “lessons to be drawn from the ruling, the impact of the decision on EU citizens as well as the efficacy of new instruments aimed at ensuring a high level of data protection.” [Full Story] SEE also: [Swire on Solving the Unsolvable with Safe Harbor] {ICO: Don’t Panic Over Safe Harbor—Yet] [A Look Forward After Safe Harbor’s Invalidation]

EU – LIBE: Why Did Safe Harbor Last 15 Years?

The European Parliament’s Civil Liberties Committee (LIBE) met to debate the European Court of Justice’s recent decision in the Schrems Case invalidating Safe Harbor. The resounding message: What took so long? “It’s important to highlight that something went wrong here,” said German Green MEP Jan Philipp Albrecht, who is rapporteur to the General Data Protection Regulation and vice chairman of the LIBE Committee. Dutch MEP Sophia in ‘t Veld agreed, calling Safe Harbor “bad legislation” that “was dead a long time ago.” MEPs debated what should happen next, and while some called for Safe Harbor 2.0, in’ t Veld said it’s time to “change strategy.” [IAPP]

EU – German DPA Takes Steps After Safe Harbor Decision

The ULD, the data protection authority for the German state of Schleswig-Holstein, has taken the step that many have predicted and issued a position paper that follows the ECJ’s logic to declare model contract clauses, even consent, to likely be invalid ways of transferring data to the U.S. “The ULD specifically recommends that companies using standard model contracts cancel them with their U.S. partners and do a complete review of data transfers, consulting with the ULD in basically every instance.” Marit Hansen, head of ULD, the data protection authority in Schleswig-Holstein, issued a press release and position paper. [Full Story]

EU – Inquiry Finds More Can Be Done to Explain RTBF

Privacy advocates argue that many Europeans do not understand their specific liberties as they relate to the so-called right to be forgotten (RTBF). As such, they suggest, Google and data protection authorities (DPAs) need to do a better job of informing their consumers of their rights, including the right to reach out to DPAs and ask for a second opinion if a company such as Google rejects their RTBF requests, the report states. Although Google does mention that appeals to DPAs are an option in “rejection emails” for RTBF requests, advocates argue more could be done. “I think both DPAs and companies would have a task in raising awareness and informing users,” said Dutch Liberal MEP Sophie in ‘t Veld. [EUObserver]

UK – MPs’ Communications ‘Not Protected’, Tribunal Rules

MPs have no protection from having their communications read by UK security agencies, a tribunal has said. Green Party politicians Caroline Lucas MP and Baroness Jenny Jones argued a long-standing doctrine protecting MPs’ communications was being breached. But in a landmark decision the Investigatory Powers Tribunal said the so-called “Wilson Doctrine” was no bar to the incidental collection of data. Ms Lucas said the decision was a “body blow” for democracy.

EU – Facebook Goes on Privacy Offensive

Facebook is moving to counter at least five different privacy investigations by EU-based data protection authorities (DPAs). In particular, Facebook says a case brought by the Belgium Privacy Commission could affect the security of its users. The case, which could have a ruling as early as this week, would allow the DPA to fine Facebook as much as $284,000 per day due to its controversial use of cookies on non-Facebook sites, the report states. However, Facebook says the cookies help it weed out bots and other automated online machines. Facebook’s Alex Stamos said, “Often regulators will focus on a very, very particular issue and lose sight of the safety issues that affect all 1.5 billion users.” [Full Story]

UK – Consumer Privacy and Security Fears, Complaints Up

Consumer complaints about the way personal data is handled increased by 30% from 2013 to 2014, according to figures from Pinsent Masons, acquired via several Freedom of Information requests to the Information Commissioners Office (ICO). Complaints about the security of personal information rose from 886 in 2013 to 1,150 in 2014, while complaints about personal data increased 64% over a five-year period. Pinsent Masons said the increase in consumer complaints highlights increasing levels of public unease over how big business and other organisations store personal information. [theregister.co.uk]

EU – Albrecht on GDPR: Very Possibly Done by End of Year

In a meeting of the European Parliament’s Civil Liberties Committee (LIBE), Vice Chairman Jan Philipp Albrecht, Green MEP and rapporteur to the General Data Protection Regulation (GDPR), provided a report on the trilogue negotiations around the GDPR. Chapter five is done, he said, and chapters two, three and four are largely complete. “My impression is that we managed to get agreement on, I would estimate, 70 to 80% of the text,” he said, adding issues like consent conditions, data minimization definitions and the duties for controllers and processors have yet to be finalized. Albrecht said it’s “realistically possible” negotiations will conclude before end of year. [Full Story] See also: [First Direct-Marketing Convictions Set Standard]

EU – ECJ Issues Weltimmo Decision

Denis Kelleher examines the European Court of Justice (ECJ) decision this week in Weltimmo. In the case, the ECJ was “asked to consider what jurisdiction the Hungarian Data Protection Supervisor might have over a website in Slovakia,” Kelleher wrote when the Advocate General’s opinion on the case was issued this summer. “While it is not yet clear what precise impact this judgment will have upon the trilogue negotiations,” the court’s “clear analysis of the jurisdiction and responsibilities of different data protection authorities must be of assistance and hopefully will enable the EU to bring those negotiations to a close.” [IAPP]

EU – EDPS: PNR’s Existence Isn’t Justified

European Data Protection Supervisor (EDPS) Giovanni Buttarelli has published his opinion on the proposed Passenger Name Records (PNR) initiative, arguing there is “a lack of information to justify the necessity” of the move and stating it “raises serious transparency and proportionality issues, and … might lead to a move towards a surveillance society.” PNR could include “home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details,” the report states. “We encourage the legislators, in assessing the necessity of such a measure, to further explore the effectiveness of new investigative approaches as well as of more selective and less intrusive surveillance measures based on targeted categories of flights, passengers or countries,” Buttarelli said. Meanwhile, more Snowden documents indicate the UK government spied on Internet users since 2007. [Out-Law.com]

EU – DPAs to Announce Cooperative Agreement

During their “Fireside Chat” at Dentons’ offices in London, UK Information Commissioner Christopher Graham and former interim Privacy Commissioner of Canada Chantal Bernier previewed details of a new cooperation agreement amongst global data protection authorities (DPAs) to be announced at the Data Protection and Privacy Commissioners Conference later this month. Sam Pfeifle writes that the Arrangement, as it’s being called, was first discussed at the DPAs’ conference in Mexico in 2011 and creates a common understanding of DPAs’ obligations as they work together “so that separate memorandums of understanding don’t have to be negotiated and signed each time DPAs coordinate on a case.” [Privacy Advisor]

EU – Other News

Facts & Stats

WW – Survey: Data Leaks a Privacy Malady

FinalCode’s 2015 State of File Collaboration Security study is shining light on a new trend of data leaks, which, according to the survey, more than 80% of information-security professionals have encountered. A data leak is “information that is shared inappropriately, sent to the wrong email address, stored on a computer that was lost or stolen or compromised through a general system security gap,” the report states. Uber, for example, has confirmed a recent data leak impacted 674 U.S. drivers. More than 75% of survey respondents are “very concerned to concerned” about data leaks, the report continues. [GovTech]

WW – Study: Cost of Breaches is on the Rise

The Ponemon Institute’s 2015 Cost of Cyber Crime Study, which examines 252 organizations in five different countries, discovered that while the average cost of data breaches increased 1.95 in the past year, boards are showing less get-up-and-go regarding data security. Larry Ponemon said the numbers are “moving in the wrong direction,” with breach response time also up 30%. And boards don’t seem to care unless stock prices are affected, said Curtis Levinson, a NATO cybersecurity advisor. The study notes that companies “that invest in adequate resources, employ certified or expert staff and appoint a high-level security leader have cyber-crime costs that are lower than companies that have not implemented these practices.” [IT World Canada] [Cost of Data Breaches Keeps Going Up. Do Boards Care?]

US – Study: Keeping Up with Data Protection Rules is Financial Burden

A Vanson Bourne survey for software agency Ipswitch found that 68% of respondents believe staying abreast of data protection requirements is a “financial burden.” “Whilst IT professionals recognise the need to align data protection regulation to keep up with modern data-sharing practices and the globalisation of data, it is clear that compliance comes at a price for most,” said Ipswitch’s David Juitt in a statement. Meanwhile, Sachiko Scheuing, tells Computing, “When companies around the world consider setting up a new unit in digital or mobile, I don’t think Europe is the preferred place to invest in.” Indeed, “Data protection continues to be a rapidly evolving area, and one that is increasingly important to business,” the Mayson Hayes & Curran Tech Law Blog reports. [Full Story]

Filtering

US – Big Breaches Plague E*Trade, Dow Jones

Dow Jones and E*Trade recently alerted their customers that personal information had allegedly been breached. Although some “personal information had been compromised,” there isn’t evidence that includes “any sensitive customer account information,” E*Trade explained in an email to its 31,000 affected customers. Meanwhile, Dow Jones CEO William Lewis alerted subscribers of the company’s breach via letter, indicating that between August 2012 and July 2015, hackers were looking for the “contact information for as many current and former subscribers as possible,” a number as high 2.4 million. Additionally, “payment card … information for fewer than 3,500 individuals could have been accessed,” Lewis said. [BankInfoSecurity]

Finance

US – Lenders Look to Social Media to Gauge Creditworthiness

As financial lenders look to new and more accurate ways to determine an individual’s creditworthiness, some are looking at data inputs on a spectrum, where at one end credit card repayment history—the most accurate determinate—is considered, while at the other end social media posts are assessed. With banks concerned that they’re turning down potential sources of profit, companies such as Fico and TransUnion are tapping alternative data sources. “If you look at how many times a person says ‘wasted’ in their (Facebook) profile, it has some value in predicting whether they’re going to repay their debt,” said Fico Chief Executive Will Lansing. “It’s not much,” he added, “but it’s more than zero.” [Financial Times]

US – Glitch Exposes Bank Customers’ Financial Activities

A security glitch affecting online banking at Halifax and Bank of Scotland that “has put tens of thousands of customers at risk of fraud by leaving their financial activities visible to anyone.” The banks, which are part of Lloyds, have not indicated how many accounts were affected, the report states, noting “fraudsters were able to view accounts without using hacking devices as they would only need someone’s name, date of birth and address to see their bank, savings, credit card, loan or mortgage account details.” The issue was discovered last week by MoneySavingExpert.com, the report states, and the banks have since fixed the problem with additional security measures. [The Telegraph]

US – FBI Takes Down Alert on Chip Credit Cards After Bankers Complain

The FBI posted an online advisory about vulnerabilities with new chip-enabled credit cards, but then removed the message less than a day later following concerns from U.S. bankers that back chip cards. The original online post was headlined, “New microchip-enabled credit cards may still be vulnerable to exploitation by fraudsters,” and was replaced by a “page not found” message. The FBI didn’t offer any comment on what happened to the original post, which raised the need for PIN (personal identification number) security included chip-embedded cards. Use of a PIN instead of a customer’s signature to bolster a chip card has become a heated battle between the nation’s major retailers, which back a PIN, and powerful credit card companies and the major banks they support, which back signatures. The American Bankers Association contacted the FBI urging it to revise and clarify its original post, which was in the form of a public service announcement (PSA), to reduce confusion over the use of PINs with chip cards, an ABA official said. [Computerworld]

FOI

CA – New Brunswick Making Open Data ‘Baby Steps’

The New Brunswick government is inching toward an open data portal that will allow citizens to click through public information that has been previously locked inside government servers. The commitment to opening up public data sets came when Premier Brian Gallant announced a digital government initiative earlier this month. [CBC News]

CA – No Harm to Public Safety in Releasing Most of Sex Exploitation Report

Two years after politicians and the police castigated CBC News for putting people in danger by reporting on a government-commissioned report into sexual exploitation in Newfoundland and Labrador, the province’s information watchdog has rejected those concerns, saying most of the document can be released to the public. “I am recommending that the majority of the report be released,” information and privacy commissioner Ed Ring wrote in a recent report. The government now has until Friday to decide whether it will follow the commissioner’s recommendations. Under new access to information laws, the onus is on the government to go to court to block the release of information the commissioner says should be made public. [Source] See also: [Transgender Canadians getting voter cards with birth names]

Health / Medical

AU – myHealth Record Under Governmental Scrutiny

The newly unveiled myHealth Record system has spurred such controversy that Health Minister Sussan Ley was called to a parliamentary joint committee on human rights to quell concerns. Liberal MP Philip Ruddock, the committee’s chairman, argued the system has “significant privacy concerns,” while the Australian Privacy Foundation said, “We suggest that the identity data … will be seen as very useful to the government, especially when cross-matched against the Internet and telecommunications data and other databases.” In response to the concerns, Ley said, “I can assure all Australians that as we develop an electronic health record system … all privacy and security measures will be taken to ensure the protection of a patient’s personal details.” [The Sydney Morning Herald]

UK – HHS Roadmap Paves Way for Privacy

After months of feedback, the Department of Health and Human Services (HHS) has published its 10-year roadmap that illustrates “how healthcare facilities and patients should be able to share medical information” while protecting user privacy. “The roadmap includes a common clinical data set for every patient,” the report states. “In order for us to be able to understand the quality of care delivered for individuals and for populations, we need to have that data available,” said National Health IT Coordinator Karen DeSalvo, who also spoke of the need for “federally recognized, national interoperability standards … that would include privacy and cybersecurity standards.” The roadmap aims to clarify and “align federal and state privacy and security requirements that enable interoperability,” the report states. [ComputerWorld]

US – HealthCare.gov Gets Privacy Overhaul, Honors DNT

The Obama administration announced new changes to the HealthCare.gov website in time for a new round of health insurance sign ups. HealthCare.gov CEO Kevin Counihan said the website will now feature a new “privacy manager“ that allows users to opt out of embedded third-party tracking, analytics and social media sites and will also honor do-not-track requests. Electronic Frontier Foundation (EFF) Staff Technologist Cooper Quintin said EFF applauds HealthCare.gov’s support of DNT and its decision to “give their users strong privacy controls, adding EFF “would be thrilled to see more organizations, both public and privacy, follow their lead.” Meanwhile, CSM Passcode queries whether consumers should have the right to demand that websites not track them. [Associated Press]

CA – Alberta Privacy Commission: Health Record Breaches an “Epidemic”

In the wake of news that Alberta Health Services is disciplining 48 healthcare workers after a patient’s medical records were inappropriately accessed, a spokesman for Alberta’s Privacy Commission (APC) said such actions are part of a larger problem. Scott Sibbald, a spokesman for the APC, said, “More broadly, this isn’t an isolated incident by any means. We are seeing, and I guess for lack of a better term, an epidemic within electronic medical records systems.” Sibbald noted that, so far this year, there has been one conviction and two charges for unauthorized access. The agency is also investigating as many as a dozen additional cases. [CBC News]

CA – Yukon Government Developing New Privacy Rules for Health Records

The Yukon government is looking for input on who should have access to your personal health care records, and how accessible they should be. The government is working on new regulations focussed on managing and protecting health files. The new rules would fall under the Health Information Privacy and Management Act, passed in 2013 but not yet in effect. The territorial health department has put together a “discussion document,” and is seeking feedback from health professionals and other Yukoners. Living says the goal is to finish consultations by the end of this year, and have regulations in place in early 2016. [CBC News]

US – OCR Announces HIPAA Compliance Portal

In an attempt to provide HIPAA compliance guidance for mobile app developers and answer questions as they occur, the Department of Health and Human Services Office for Civil Rights (OCR) has created an online portal. “Historically, there have been limited opportunities to obtain guidance from OCR on how HIPAA applies to certain situations,” said David Wright Tremaine’s Adam Greene. “I hope that the OCR portal will provide a much needed influx of OCR guidance and clarification regarding how HIPAA applies to mobile health app developers, other cloud-based entities and other business associates.” The information requests will be anonymized, OCR Senior Adviser Linda Sanches said, thus making the portal a tool for learning, not enforcement. “We’re not going to track anyone down,” she added. [GovInfoSecurity]

Horror Stories

US – 15 Million Affected in Breach

Experian has confirmed that approximately 15 million customers, including T-Mobile users “who had applied for Experian credit checks, may have had their private information exposed.” “The unauthorized access was in an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services between Sept. 1, 2013 and Sept. 16, 2015,” Experian’s website states. Experian and T-Mobile are working to notify customers. “Information from the hack includes names, addresses and social security, driver’s license and passport numbers,” the report states, noting Connecticut’s Office of the Attorney General plans to investigate the breach. [The Guardian]

US – Millions of Customer Records Breached

Scottrade has confirmed that 4.6 million contact records were breached from 2013 through 2014. “Although Social Security numbers, email addresses and other sensitive data were contained in the system,” the company said, “it appears that contact information was the focus of the incident.” The American Bankers Association has also discovered that “thousands of members’ personal information had been compromised.” Meanwhile, hackers may have accessed the financial information of Trump hotel patrons. The company said, “Although an independent forensic investigation has not conclusively determined that any particular customer’s payment card information was taken … we are providing this notice out of an abundance of caution.” . [ZDNet]

US – Senator Wants Details on Experian Breach

Sen. Sherrod Brown (D-OH) of the Senate Banking Committee has written to Experian asking for details regarding its recent T-Mobile data breach. His questions include “how the breach occurred” and “what changes Experian was making to its systems to stop it from happening again,” the report states. “Protection of this information is of the utmost importance, especially because the scope of the information is vast and virtually no consumer can apply for credit without entering your system,” Brown noted. He also requested Experian to arrange “credit freezes” for victims of the breach. Experian representatives said in a statement that they “understand the concerns raised” and will be responding. [Associated Press] [T-Mobile Reviewing Experian Affiliation] [Three lawmakers want answers from Experian on the recent data breach affecting up to 15 million T-Mobile customers].

US – PIRG Calls for FTC Investigation of Experian Breach

Twenty-five “data security and consumer advocacy” agencies, including the Electronic Privacy Information Center and the World Privacy Forum, co-signed a letter penned by the U.S. Public Interest Research Group to the Federal Trade Commission, urging the federal agency to launch an official investigation into the recent Experian data breach. “As you know, Experian is one of the three nationwide consumer reporting agencies, each holding data on over 200 million consumers,” the letter states. “A data security breach that affected Experian’s credit report files would be a terrifying and unmitigated disaster,” it continues. In response, an Experian spokesperson said “Experian understands the concerns raised and we are prepared to respond promptly to requests from regulatory agencies for more details about the incident.” Meanwhile, The New Yorker’s Om Malik arguesthat the company’s breach is just another iteration of the same grave trend. [The Guardian]

AU – Hackers Target Australian Health Sector, Selling Records for A$1,000

Hackers are targeting the Australian health sector, with fully populated digital health records sold on the black market for up to A$1,000 each. Plans to make the personally controlled electronic health record (PCEHR) an opt-out – rather than the current opt-in regime – could significantly expand the range of targets for health hackers. Carl Leonard, principal security analyst for Websense, said healthcare around the world is now experiencing 340% more attacks than the average industry sector. He said that, in 2014, there was a phenomenal 600% increase in the number of attacks launched against hospitals – and Australia is no exception. He said ransomware attacks were 450% more prevalent in healthcare globally than in other industries. He said: “Healthcare offers a very complete dataset that can be used for identity theft or fraud. It holds very up-to-date contact information so you can send targeted mails, and use the information and repurpose it for identity theft.” Leonard said some fully populated health records are fetching up to A$1,000 on the black market while the prices for credit card details continue to drop in what is considered a saturated market. [Computerweekly.com]

WW – Researchers Spot Potential Breach

“Researchers at Worcester Polytechnic Institute claim they’ve spotted a potential data breach issue involving Amazon Web Services (AWS).” Amazon, however, has responded that “AWS customers using current software and following security best practices are not impacted by this situation.” The researchers say they used an AWS instance to hack into another, but “only in a lab setting,” suggesting “a single cloud instance could be used by attackers to breach other instances running on the same machine, thus compromising individuals and organizations that are otherwise unrelated, except for using the same cloud service,” the report states. [Bank Info Security] See also: [Samsung breach the Result of Chinese Hackers]

US – Secret Service Privacy Breach Raises Concerns

The White House said that “significant concerns” have been raised by reports that scores of Secret Service employees accessed the unsuccessful job application of a congressman who was investigating agency scandals. Spokesman Josh Earnest said, though, that President Obama retains confidence in the agency’s director and that the “appropriate steps” will be taken to hold accountable any individuals who did not follow proper procedures. [The Associated Press]

NZ – Breaches Affect National Health Index, Merchant

A breach of New Zealand’s National Health Index exposed “confidential birth and death details” of 24,000 victims after an email was accidentally sent to the incorrect recipients. “Patients must be able to trust the information they give to doctors will only be accessible to staff involved in their treatment,” said Labour’s Annette King. King said the data is “particularly sensitive. Its release would be hugely distressing to relatives and loved ones,” adding, “any breach of this magnitude is unacceptable, full stop.” Meanwhile, the Australian Federal Police is looking into a breach that compromised shoppers’ home addresses and other personal information. [Computerworld] [NZ – Deaf Aotearoa flooded with complaints about Jehovah’s Witness church]

US – Uber Breach Investigation

Uber is investigating the breach of a database that contains information about the company’s drivers. A report from Reuters says that one suspect is Uber rival Lyft. Uber inadvertently posted the database key on a GitHub page before the breach. When Uber realized what had happened, it sent a subpoena to GitHub demanding information about people who visited that particular page during the period the key was visible. Someone using an IP address associated with Lyft’s Chief Technical Officer accessed the page. However, that IP address is not the same as the one used in the attack on Uber’s database. [SCMagazine] [Reuters] [Uber Focuses Legal Efforts on Identifying Hackers]

Identity Issues

WW – Coalition to Facebook: Rethink Policy

The Nameless Coalition, a new organization comprising groups like Human Rights Watch and the ACLU wrote a letter to Facebook articulating their displeasure with its policies regarding real names. “Users who opt to send Facebook their identification information are told that their information is secure but are given no information about how Facebook treats their data,” the coalition stated. “While we know not everyone likes this approach, our policy against fake names helps make Facebook a safer place by enabling us to detect accounts created for malicious purposes,” Facebook said. The coalition has requested a response to its letter by October 31. [The Verge]

US – FBI Urges Use of Two-Factor Authentication

The FBI is encouraging small- and medium-sized businesses and Internet users in general to use two-factor authentication to safeguard personal information. The FBI (did this) as part of this year’s National Cyber Security Awareness Month. In a related story, a coalition of government agencies, technology companies, and security experts met in Washington, DC, earlier this week to discuss ways to move toward stronger, two-factor authentication. [FBI] [ExecutiveGov] [DailyDot]

WW – Yahoo Aims to Phase Out Passwords With New Service

Yahoo’s next step in password security is to eliminate them altogether. Starting this week, the company announced, users of the Yahoo Mail app on both iOS and Android will have access to a new service called Yahoo Account Key, which uses smartphones to verify identities in lieu of traditional passwords. Here’s how it works: When users who sign up for Account Key try to access Yahoo Mail, they will no longer need to enter their password. Instead, the Account Key service will send a message to the smartphone connected to the account. With a tap on yes or no, users can indicate it is a legitimate attempt to get into the account or deny unauthorized access. If their smartphone is lost or stolen, users can verify identities through an email or a text message sent to alternative accounts and numbers. In addition to Account Key verification, Yahoo executives announced a revamped version of Yahoo Mail that allows users to connect with, manage and search Outlook, Hotmail and AOL email accounts while signed in to their Yahoo account. The new Mail also connects to Twitter, LinkedIn and Facebook to add photos and create “contact cards” with email, telephone and social media information for contacts. [Reuters]

UK – ‘Hidden Faces’ Proposed As a Biometric Privacy Solution

Biometrics researchers are working on a privacy solution for facial data that would see smartphone user images encrypted into two separate encrypted files which are then also “hidden” in new, unrelated faces and stored separately. Using a technique known as visual cryptography, two facial data templates are created from a single face. These templates are then “hidden” in an unrelated face – for example a celebrity mugshot, with one kept on a device and another in the cloud. Addressing the issue whereby hacked mobile devices could reveal facial data stored on them for biometric authentication, the technique could eliminate the risk of reverse engineering from templates or even from secure elements. [planetbiometrics.com] See also: [UK – Identity Cards Can Solve Britain’s Migrant Crisis]

US – ACLU: License Chips a “Nightmare”

The growing trend of states enacting voluntary programs that connect one’s license to the Department of Homeland Security via RFID chips is what the American Civil Liberties Union (ACLU) calls a “civil liberties nightmare.” While “the cards are designed to be used instead of passports at U.S. land borders in a bid to speed up the entrance lines from Mexico and Canada,” their growing popularity could indicate that “such cards could become mandatory across the country,” the report continues. The ACLU said the “technology is a dream come true for identity thieves and stalkers,” while University of Washington researchers said there is “no encryption of any kind and they can be read by anyone,” noting “reading and cloning” of the chips “is possible.” [Ars Technica]

JP – ID Sparks Privacy Protests

Japan’s introduction of My Number ID, an identifier that “will unite personal tax information, social security and disaster relief benefits,” has sparked such intense privacy concerns that more than 400 protesters assembled in Tokyo to contest the move. “Chanting ‘Stop My Number now!’ and ‘No dangerous My Number card!’ protesters called for postponement of the 12-digit number,” the report states, noting the system is “expected to reach an estimated 55 million households” in an attempt to help “cut down on tax evasion and benefit fraud.” Sophia University’s Yasuhiko Tajima has called the My Number plan “unconstitutional,” the report states. [RT]

US – ID-Theft Center Advises Security-Freeze Customers to Watch Credit Report Costs

A Maine-based identity theft assistance company says customers who’ve recently put a security freeze on their credit reports should watch the cost of their policies. “We have become aware that some insurance companies are mistakenly using a customer’s frozen credit history as a negative factor when calculating the costs of the customer’s policy,” said Jane Carpenter, founder of Maine Identity Services. “This means that the rate charged for the insurance may be increased.” In one case, a customer’s rates increased by more than $150. Carpenter said those who’ve experienced a data breach and are receiving credit monitoring services should also watch costs. [Full Story]

WW – What’s in a Boarding Pass Barcode? A Lot

The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account. Interested in learning what’s in your boarding pass barcode? Take a picture of the barcode with your phone, and upload it to this site. This blog on the same topic from several years back includes some helpful hints on how to decode the various information fields that get dumped by the barcode reader. Finally, the standards for the boarding pass barcodes are widely available and have been for years. Check out this document from the International Air Transport Association (IATA) for more on how the barcode standards work and have been implemented in various forms. [KrebsonSecurity.com] [Krebs]

Internet / WWW

WW – TPP Signed: The ‘Biggest Global Threat to the Internet’ Agreed

An agreement that some campaigners have called the “biggest global threat to the internet” has just been signed, potentially bringing huge new restrictions on what people can do with their computers. The Trans-Pacific Partnership is the conclusion of five years of negotiations, and will cover 40% of the world’s economy. Its claimed purpose is to create a unified economic bloc so that companies and businesses can trade more easily — but it also puts many of the central principle of the internet in doubt, according to campaigners. One particularly controversial part of the provisions make it a crime to reveal corporate wrongdoing “through a computer system”. Experts have pointed out that the wording is very vague, and could lead to whistleblowers being penalised for sharing important information, and lead to journalists stopping reporting on them. Others require that online content providers — such as YouTube and Facebook — must take down content if they receive just one complaint, as they are in the US. That will be harmful for startups looking to build such businesses since they’ll be required to have the resources to respond to every complaint, experts have pointed out. [The Independent]

WW – Study to Examine Challenges to Privacy

Singapore- and UK-based researchers have submitted a proposal to study the potential threats to privacy and security in the cloud. “Big data provides immense benefits ranging from innovative business models to new ways of treating deadly diseases. However, challenges to privacy arise,” said City University London’s Muttukrishnan Rajarajan, while the School of Electrical and Electronic Engineering’s Lu Rongxing noted, “If privacy is not well addressed, people may be reluctant to share their data.” If approved, the initiative will begin in 2016. Meanwhile, Singapore’s Personal Data Privacy Commission has published two new surveys on consumer opinions and industry opinions of the Personal Data Protection Act. [Computer Weekly]

Law Enforcement

US – NYPD Has Super-Secret X-Ray Vans

Police Commissioner Bill Bratton won’t let the NYCLU — or anyone else — bully him for details on the NYPD’s super-secret X-ray vans. The top cop was asked about the counter-terror vehicles, called Z Backscatter Vans, in light of the NYCLU’s request to file an amicus brief arguing that the NYPD should have to release records about the X-ray vans. The website ProPublica filed suit against the NYPD three years ago after an investigative journalist’s requests for police reports, training materials and health tests related to the X-rays were denied. [The New York Post]

Offshore

AU – New Data Retention Laws Begin Today

Beginning today, every phone call you make, text message you send and email you write will be tracked by the government under a new metadata retention scheme. This scheme is allegedly being implemented to protect the country against organised crime and terrorism, but it is also being slammed as a major invasion of privacy. An Essential poll from early in the year showed that around 40% of Australians support the introduction of the new metadata laws and 44% did not, while 16% had no idea what it was. [news.com.au] International Business Times reports a survey by telecommunications industry lobby group Communications Alliance has found 84% of ISPs are not yet prepared to collect and store the required metadata. [BBC News]

Online Privacy

WW – Problematic Apps Removed from Apple’s Online Store

After Chinese-born apps were found to be laden with malware last month, Apple reviewed its App Store inventory and ousted those programs it considered “potentially invasive to user privacy.” “We’ve removed a few apps from the App Store that install root certificates which enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions,” said an Apple spokesperson. “We are working closely with these developers to quickly get their apps back on the App Store, while ensuring customer privacy and security is not at risk.” [CNET]

WW – Apple Pulls Some Ad- and Content-Blocking Apps Over Privacy Concerns

Apple has removed several ad- and content-blocker apps from its App Store after they were found to install root certificates that could potentially be used by third parties to access user information. The root certificates could be used to monitor data, which “could be used to compromise SSL/TLS security solutions.” [InformationWeek] [ArsTechnica] [The Register] [ComputerWorld] [CNET] [eWeek]

US – Senators Criticize W3C Do-Not-Track Approach

Sens. Ed Markey (D-MA), Al Franken (D-MN) and Joe Barton (R-TX) have sent a letter to the World Wide Web Consortium criticizing its approach to its do-not-track (DNT) standards. In the letter, the senators contend that the DNT definition will not protect users’ privacy and that “first-party” sites should not be able to collect data from users who opted out of web tracking. “We believe that both first and third parties should be held to high standards that respect privacy and promote competition online,” they write. Additionally, the different standards for first and third parties “gives certain companies … an exemption from what could serve as an important consumer protection and an unfair advantage over companies that better honor consumer rights and expectations.” [MediaPost]

WW – No-Tracking Search Engine Gets $9M from Investors

Swiss-born search engine Hulbee, which has received $9 million from investors, aims to become a “pro-privacy alternative to mainstream search engines.” Unlike other search engines, “it does not track users,” the report states. “It’s competing with other search players in the pro-privacy space,” promising untracked ads as well. According to Hulbee CEO Andreas Wiebe, “Ads on Hulbee are targeted based on the search query, so there’s no geotargeting or cumulative tracking,” the report states. “Hulbee doesn’t fall back on surveillance, so there’s no geotargeting,” Wiebe said. “For Hulbee, the user is completely invisible … We recognize that most consumers do not want to be tracked.” The system has been available in the U.S. since August. [Tech Crunch]

WW – Zombie Cookie Privacy Concerns Come Back To Life

Verizon plans to give AOL access to zombie cookie-gleaned information. “That means AOL’s ad network will be able to match millions of Internet users to their real-world details gathered by Verizon,” the report contains, adding that “AOL will also be able to use data … to track the apps that mobile users open, what sites they visit and for how long.” The move has struck a chord with the privacy-conscious. “It’s an insecure bundle of information following people around on the web,” said Deji Olukotun of Access. Verizon disagrees. The information will go to “a very limited number of other partners and they will only be able to use it for Verizon and AOL purposes,” said Verizon’s Karen Zacharia. [Pro Publica]

WW – Google Disputes Claims Its In-Car Entertainment System Spies on Users

Following a report from Motor Trend magazine claiming Porsche had chosen not to use Android Auto in its newest cars because of privacy concerns, Google has denied the in-car entertainment system spies on users. The report claimed certain pieces of data from the entertainment system is collected and “mailed back to Mountain View, California. Stuff like vehicle speed, throttle position, coolant and oil temperature, engine revs … “ But Google disputed the report, saying, “We take privacy very seriously and do not collect the data the Motor Trend article claims, such as throttle position, oil temp and coolant temp.” [The Guardian]

Other Jurisdictions

WW – Forrester Releases 2015 Data Privacy Heat Map

To help global organizations navigate privacy regulations, which vary from country to country and can conflict with one another, Forrester has published its 2015 Data Privacy Heat Map. The map, initially created in 2010, features in-depth analysis of the laws and cultures of 54 countries. This year’s version includes non-European countries such as Chile, South Africa and Thailand, who’ve each made strides “toward their own comprehensive data privacy regimes,” the report states. Many countries are making changes to align themselves with the pending European data protection regulation, particularly in light of such provisions as the “right to be forgotten” and breach notification laws. [Forbes]

MX – Uptick in Gov’t Data Requests Sparks Worries

Officials and politicians in Mexico are concerned with the number of government surveillance requests and the lack of supervision in place to keep sensitive data away from those who don’t have the appropriate credentials to access it. The number of requests in 2014 for mobile records was up 25%. Privacy advocates “are particularly concerned because of Mexico’s high rate of corruption—it is not uncommon for criminals and security to work in concert,” the report states. In addition, a new telecommunications law passed in 2014 could make government surveillance easier, and “just three% of the data requests made in Mexico got a judicial review.” [SC Magazine]

AU – Telstra Gets Extension; Law Changes Explained

Telstra has received an 18-month extension by the Attorney-General’s Department to insure the organization’s full adherence to the metadata retention law that is now in effect, a process the company has said it has already begun. “We are pleased to say that Telstra is one of the few, if not only, I think, telecommunication providers that has submitted a data retention plan and had it approved by the government,” said Telstra’s Catherine Livingstone. “We are organised to do this and we will implement it over 18 months, and of course, we will work with the government following through on their undertaking to reimburse us for the costs incurred.” Meanwhile, the The Sydney Morning Herald breaks down the new data retention changes. [International Business Times]

AU – OAIC Still Protecting Privacy as Staff Dwindles

The government’s decision to significantly defund the Office of the Australian Information Commissioner (OAIC) is troubling as “the privacy functions of the OAIC have arguably never been more important, and it has now been tasked with an even greater responsibility to oversee parts of the mandatory data retention scheme.” Those behind the scenes argue the shortage of funding stems from government displeasure with freedom of information. Regardless, Privacy Commissioner Timothy Pilgrim argues that although “the team (is) somewhat diminished in size” it is “no less committed, is now doing more than ever … to enforce Australians’ privacy and freedom of information rights,” the report states. Meanwhile, the OAIC plans to release telecommunication companies’ audit results. [The Guardian]

RO – President Signs “Big Brother” Law

Under a new law signed by Romanian President Klaus Iohannis, state authorities will soon be able to access to such information as “phone-call metadata, equipment IDs and localization.” The controversial law, which Romania’s media has named “Big Brother,” provides a right to access data stored by Internet providers and telecoms. “Now, it just needs to be published in the Official Journal of Romania to come into effect three days later,” the report states. The Romanian Association for Technology and Internet’s Bogdan Manolea said, “Although it is not a data-retention law, the quality of the legal text raises more questions than answers.” [ZDNet]

WW – Other International News

Privacy (US)

US – Tech Giants Press Congress to Give EU Citizens Privacy Rights

A group of large U.S.-based technology companies have sent a letter to U.S. House of Representatives leadership urging them to pass the Judicial Redress Act, a bill that would extend certain privacy protections to EU citizens. The letter states that such a bill “is a critical step in rebuilding the trust of citizens worldwide” and that restoring “that trust is essential to continued cross-border data flows…” Meanwhile, the Computer & Communications Industry Association is opposing the Cybersecurity Information Sharing Act (CISA). Similarly, the American Library Association has said CISA would let federal intelligence agencies spy on people using library computers. [The Hill] [US – Google, Facebook, and Microsoft Stick a Bomb Under Hated CISA Cyber-Law] See also: [US – Candidates Need To Get Privacy Right]

US – Cartoon Network Cleared of VPPA Violation

The 11th Circuit Court of Appeals has ruled that Cartoon Network (CN) didn’t breach the Video Privacy Protection Act (VPPA). Plaintiffs had alleged their mobile information was tracked and shared when they used CN’s mobile app in violation of the VPPA. However, the court found that “downloading an app for free and using it to view content at no cost is not enough to make a user of the app a ‘subscriber’ under the VPPA, as there is no ongoing commitment or relationship between the user and the entity which owns and operates the app,” the opinion states. [The Hollywood Reporter]

US – Other News

Privacy Enhancing Technologies (PETs)

US – HP and 3M to Integrate Privacy Screens into Laptops

HP and 3M say they will integrate privacy screens into some laptops by next year. The feature will allow users to turn a screen black with a push of a button. “Currently, ensuring privacy in cramped quarters is usually handled by installing a clumsy plastic sheet that narrows the field of view to only the person directly in front of the computer.” “If you’re on the side, you see black. But when you have to peel off that screen when it’s time to show off your PowerPoint, they often get dinged up and lost,” the report states. [PCWorld]

WW – Silent Circle Focusing on Businesses, Not Consumers

Silent Circle Co-Founder and encryption guru Phil Zimmerman says that “People want their privacy for free,” and because of that, the company, which makes the privacy-protective Blackphone, is now focusing its sales efforts on businesses handling sensitive data instead of the consumer market. Instead, the company is looking to sell the Blackphone to large enterprises to help protect sensitive personal information, trade secrets and other communications because organizations “are operating in an environment where they’re under attack from hackers.” Meanwhile, the White House has said it will not ask Congress to pass a law requiring companies to decrypt communications data. FBI Director James Comey said, “The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry.” [Motherboard]

WW – Apple Acquires Privacy-Sensitive AI Start-Up

Apple has acquired artificial intelligence (AI) start-up Perceptio, a company known for building AI systems on smartphones without having to share large quantities of user data. According to the report, Perceptio aims to run AI image-classification systems on mobile devices without the assistance of external data, fitting in with Apple’s goal of limiting customer data usage. Apple’s Colin Johnson said, “Apple buys smaller technology companies from time to time, and we generally do not discuss our purpose or plans.” Last week Apple said it had acquired a UK-based start-up specializing in technology that allows “Siri-like personal assistants” to carry on longer conversations with users. [Bloomberg Business]

RFID / IoT

US – Pilot Program Aims to Use Smart Beacons to Track Riders Who Opt-In

A pilot program has been launched by a private contractor to track riders of Massachusetts public transit. The program’s aims are to “improve the rider experience” and help advertisers with the Massachusetts Bay Transportation Authority system “increase engagement and interaction with commuters,” by using a “secure, closed network of Gimbal Bluetooth Smart beacons” that the contractor—called Intersection—says won’t collect personally identifiable information. Riders would only be tracked if they opt in to an app that would allow for the tracking of the beacon’s signal. [NetworkWorld]

US – Insurance Companies Pair With Smart Products to Monitor Homes

Insurance companies are partnering with companies that offer smart products for homes to “get their foot in the door.” American Family Insurance, Liberty Mutual and Bloomington-based State Farm have recently paired with such companies as Google and Nest to offer policyholders discounts on their home insurance in exchange for using the devices. But not everyone thinks that’s a great idea. “These are double-edged products,” said Bob Hunter, insurance director for the Consumer Federation of America. “If properly controlled for privacy and only installed with the policyholder’s permission and total transparency, they can make a home safer … but without strict protections, these could be a threat to a family’s privacy and intimacy.” [Chicago Tribune]

US – Committee Proposal Would Create Civil Penalty for Car Hacks

The House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade has proposed a requirement that vehicle manufacturers state their privacy policies and have proposed civil penalties of up to $100,000 for the hacking of vehicles. The lawmakers suggest the National Highway Traffic Safety Administration establish an Automotive Cybersecurity Advisory Council to develop cybersecurity best practices for U.S. car manufacturers. The “staff draft” released ahead of a hearing on the topic next week recommends manufacturers be required to have “reasonable measures” in place to protect driver information against hacks or face penalties of “not more than $5,000 per day.” [IDG News Service]

US – New Fridge Can Track Your Beer Supply

Internet-of-Things (IoT) technology continues its rapid growth, moving into the beer-tracking game. Bud Light, along with the National Football League, has introduced a new connected fridge that tracks and discloses real-time data on a consumer’s beer supply and temperature. The technology could eventually provide location to allow for home delivery. The fridge is currently only available in California. Meanwhile, California Gov. Jerry Brown has signed a first-in-the-nation bill mandating that smart televisions provide users with prominent notice during the initial setup that voice recognition technology is being used. AB1116 also prevents manufacturers and other third parties from using or selling recorded conversations for advertising. Privacy advocates are still concerned that collected data could be used to profile users, the report states. [MediaPost]

Security

US – FTC Launching Data Security Initiative

Several Federal Trade Commission (FTC) officials shared their views and concerns on recent developments in privacy at the IAPP Global Privacy Summit, and Bureau of Consumer Protection Director Jessica Rich said the agency is set to launch “Start with Security” to provide businesses with resources, education and guidance on data security. Jedidiah Bracy highlights the details on the program Rich and FTC Chairwoman Edith Ramirez shared at the event, the four trends Commissioner Julie Brill said the FTC is looking at and reactions from the FTC on the Obama administration’s proposed Consumer Privacy Bill of Rights. [Full Story] See also: [Is Your Company Ready for FTC Oversight of Data Security?]

US – New Cybersecurity Guidance Released by NYSE

The New York Stock Exchange (NYSE) published a new 355-page cybersecurity guidance with “46 chapters written by more than 35 contributors across security, business and government,” an offering that is touted by the NYSE as the “definitive cybersecurity guide for directors and officers” in the public sector. It “covers such topics as board obligations and action plans, how CEOs can ask better questions, how to protect trade secrets, as well as consumer protection and incident response,” the report states. “No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk,” said NYSE President Tom Farley in the publication’s introduction. “No company, region or industry is immune, which makes the responsibility to oversee, manage and mitigate cyber risk a top-down priority in every organization.” [Market Watch] See also: [FTC Security Workshop Next Stop: Austin]

US – New Protective Service Announced as Breach Reports Persist

Visa and FireEye have once again become allies on the breach protection front with the announcement of protective service Visa Threat Intelligence,. “The subscription-based service includes a web portal where Visa clients can share and view cyber intelligence, forensic threat analysis from recent data breaches and information on malicious software,” the report states, noting, “According to Visa, the ultimate goal with the program is to identify a breach, or a potential breach, before data can be used or compromised.” Meanwhile, SC Magazine reports on a breach involving America’s Thrift Stores, and a new report from Accenture suggests breaches in “the next five years will cost U.S. health systems $305 billion in cumulative lifetime revenue.” [ZDNet]

US – Group Urges FCC to Mandate Better Router Security

In a letter to the FCC, a group of more than 260 global Internet thought-leaders, including former FCC Chief Technologist Dave Farber and Internet co-inventor Vinton Cerf, unveiled an alternative plan to improve the security of WiFi routers. The proposal is in response to newly proposed FCC rules as disclosed in ET Docket No. 15-170. Farber said, “Today there are hundreds of millions of WiFi routers in homes and offices around the globe with severe software flaws that can be easily exploited by criminals. While we agree with the FCC that the rules governing these devices must be updated, we believe the proposed rules laid out by the agency lack critical accountability for the device manufacturers.” [Business Wire] See also: [FCC’s Privacy Regulation “Troubling,” House Republicans Argue]

US – Post-Ashley Madison Breach, Companies Turn to Cyberinsurance

The Canadian Press reports that several high-profile data breaches, most notably the Ashley Madison hack, are prompting companies to turn to cyberinsurance. Deloitte Director of Technology Research Duncan Stewart said, “The number of attacks are rising, the severity is rising, and when they come, they’re more difficult to deal with.” Stewart also said such insurance is now part of the cost of doing business, the report states. He also asked, “You wouldn’t own a factory and not have fire insurance, so why would you think about not having cyberinsurance?” [Full Story]

US – Lack of Data Puts Cyberinsurance Companies in a Bind

Breached businesses are frequently reticent about their experiences, and that has prevented the cyberinsurance industry from having the necessary data to both “accurately predict the risk of a breach” and determine rates. Besides employing computers to forecast risk—a process that is “totally at its infancy,” said George Washington University’s Costis Toregas—another option is a Department of Homeland Security-backed “third-party repository“ of such information, the report states. “The unlocking of the potential market into the hundreds of billions of dollars will happen when they either develop a comprehensive kind of statistical base of losses or some strong models that can tell them with some level of confidence,” Toregas added. [Nextgov] [NYT Features Special Section on Security, Privacy]

US – Breach Insurance Policies Costing a Pretty Penny

As breaches multiply, so have the rates of insurers’ “cyber premiums.” “On top of rate hikes, insurers are raising deductibles and in some cases limiting the amount of coverage to $100 million, leaving many potentially exposed to big losses from hacks that can cost more than twice that,” the report states. “Average rates for retailers surged 32% in the first half of this year, after staying flat in 2014,” the report continues. And size doesn’t matter: “Even the biggest insurers will not write policies for more than $100 million for risky customers,” the report states, noting, “That leaves companies like Target, which says its big 2013 data breach has cost $264 million, paying out of pocket.” [Reuters] [Cyber Insurance Rates To Skyrocket]

Smart Cards

HK – Cards Recalled After Security Flaw Discovered

After a security vulnerability was found in credit cards “that allows holders’ names to be read by unauthorised sources when they make contactless payments,” the Hong Kong Monetary Authority (HKMA) called for seven banks to “recall or replace” said cards. “Some of the cards issued by the seven banks do not fulfil the HKMA requirements set up in 2012 regarding contactless payment,” an authority spokesperson said. “Namely, the bank must ensure that the data stored in the card and transferrable via contactless payment must include only information essential for transaction, and not include the user’s full name.” The breach was reported to the Office of the Privacy Commissioner for Personal Data as it “may involve a leak of nonessential personal data,” the spokesperson added. [SCMP]

Surveillance

CA – ‘Orwellian’ Surveillance System Monitors All [Cell] Phones on Prison Grounds

Correctional Services Canada is using advanced surveillance technology to record the phone calls and texts of not just inmates, but anyone within earshot. The technology, which is similar to “stingrays” used by police in the United States, intercepts calls and texts coming from inside the prison, its parking lot, grounds and possibly even the surrounding area. In a memo, Warkworth’s warden Scott Thompson wrote after a number of deaths and overdoses, he asked Correctional Services Canada to install the technology to help catch contraband. “Unfortunately, I knew that by trying to intercept what the inmates were doing, I would also be provided with information about cellular devices being used in noninmate areas.” [Toronto Star]

CA – Ontario IPC Releases Surveillance Guidance

The Information and Privacy Commissioner of Ontario (IPC) published Guidelines for the Use of Video Surveillance in an attempt to regulate the use of surveillance and protect user privacy, the agency said in a statement. “Video footage captured by cameras is regularly used to assist in the investigation of wrongdoing,” the IPC report states. “However, the use of these surveillance technologies can put individuals’ privacy at risk. Therefore, it is important to carefully consider both whether it is appropriate to install video surveillance and how it is used.” The guidelines cover everything from “appropriate retention periods” to “notices of collection” while aiming to blend old guidance with new. “By following these guidelines, institutions can use video surveillance technologies, while protecting individuals’ privacy in accordance with their obligations under Ontario’s privacy legislation,” the report notes. [Full Story]

WW – New CCTV Cameras Surveil and Protect Privacy

Canon is experimenting with new CCTV technology that provides certain privacy protection but still records individuals in specific restricted areas. In recent demos by the company, new surveillance cameras can be programmed to watch restricted areas while blocking out individuals outside that area. Any images outside the restricted area are processed into a “pale green ghost.” Traditionally, cameras are aimed at a restricted area, but often capture peripheral images of people walking by. Canon’s new camera would avoid that, thereby helping it comply with some local privacy laws around the world. [PC World]

US – DHS Detains, Forces Mayor to Hand Over Passwords

Returning from a conference overseas, Stockton, CA, Mayor Anthony R. Silva was detained by representatives of the Department of Homeland Security who not only confiscated his electronics but also made his ability to leave their custody dependent on disclosure of the devices’ passwords. “Unfortunately, they were not willing or able to produce a search warrant or any court documents suggesting they had a legal right to take my property,” Silva said. Additionally, the mayor was informed that he had no right to have a lawyer present, the report states. “I think the American people should be extremely concerned about their personal rights and privacy,” Silva said. Anonymous sources allege his detainment was in connection to an ongoing probe, the report states. [Ars Technica]

WW – UL Working on Wearable Security, Privacy Standard

UL, formerly known as Underwriters Labs, will soon certify the safety and security of wearables and other Internet-of-Things (IoT) devices. The company, which is better known for certifying appliances for electrical safety, is currently developing draft security and privacy requirements for IoT devices and expects to launch the program in early 2016. “When we think of how wearables are used, there are a lot of different implications for security,” said UL Principal Engineer for Medical Software and System Interoperability Anura Fernando, adding UL aims to “begin to raise the bar for how security should be addressed … and establish a minimal baseline for what should be addressed much like we did with electricity 120 years ago.” [Computerworld]

Telecom / TV

US – Wireless Industry Issues New Privacy Commitments

The Wireless Association, based in Washington, DC, has issued a set of voluntary antitheft commitments for device manufacturers with the intent to protect user data while limiting the theft of smartphones. Nearly 20 wireless providers have now agreed to implement an antitheft tool, either preloaded or downloadable, to remotely wipe user data in cases of smartphone theft. The agreement also states that phones made after July 2016 will provide users with tools to disable the antitheft technology and use one of their choice. According to the report, smartphone thefts are down 2%0, likely from password protection. [ABC News]

US Government Programs

US – Audit Finds Some IRS Systems Dangerously Decrepit

According to a recent Treasury Inspector General for Tax Administration (IG) audit, some Internal Revenue Service (IRS) systems are vulnerable to data theft due to out-of-date technology. “We believe that running workstations with outdated operating systems poses significant security risks to the IRS network and data, particularly in the environment where a chain is only as strong as its weakest link,” the IG said. However, the IRS said it has made changes “to dramatically increase the velocity of upgrades while minimizing risks and costs.” The IRS also cited budget restrictions as a hindrance to technological advancement. The Obama administration has asked for a $242 million cybersecurity allotment for the IRS in its proposed 2016 budget. [The Hill]

US – Defense Department Contractors Must Report Breaches

A new rule requires many US Department of Defense (DoD) contractors to report “cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system.” The rule applies to the more than 100,000 contractors in the DoD’s Defense Industrial Base information sharing network. [The Hill] [NBC News] [Federal Register]

US Legislation

US – California Amends Definition of Personal Identifiable Information and Breach Notification Content Requirements

On October 6, 2015, California Governor Jerry Brown signed into law several changes to California’s Data Breach Notification Statute. The law, as amended, adds additional categories of information into the definition of Personal Information, such as licence plate numbers, new content requirements for data breach notifications (together with a new form that when used properly will be deemed compliant with the new requirements), and a new definition of “encryption.” The amendment becomes effective as of January 1, 2016. [Mondaq News]

US – California Governor Signs CalECPA Into Law

California Gov. Jerry Brown signed into law the California Electronic Communications Privacy Act (CalECPA), making California “the first (state) to enact a comprehensive law protecting location data, content, metadata and device searches,” Nicole Ozer, technology and civil liberties policy director at the ACLU of California told WIRED. Privacy advocates are applauding its passage, and the Electronic Frontier Foundation calls it a “significant milestone in the campaign to update computer privacy laws, which have been stuck in the 1980s,” adding it hopes the move “will lend momentum to the federal Electronic Communications Privacy Act.” [IAPP]

US – New California Law Requires Warrant to Use Stingray

California Governor Jerry Brown has signed into law a bill that requires law enforcement to obtain a warrant prior to using cell-site simulators, often referred to as stingrays. The California Electronic Communications Privacy Act has been described as having a broad scope; it does not apply to specific technologies but instead aims to protect citizens’ digital privacy. [Ars Technica]

US – House Passes Bill Calling for DHS Strategy

The House of Representatives has passed a bill “demanding that the Department of Homeland Security (DHS) develop a formal cybersecurity strategy.” The bill outlines DHS’s responsibilities for a strategy to facilitate a hub that would allow for data-sharing on federal and civilian cyber-threats. It would also require DHS to provide technical assistance and damage mitigation for organizations that suffer hacks and breaches. Meanwhile, a congressman whose data was reportedly stolen in the Office of Personnel Management hacks says his data is now being used in identity-theft attempts. [Press TV]

US – Other Legislative News

+++

16-30 September 2015

Biometrics

US – OPM Confirms 5.6 Million Fingerprints Stolen in Hack

The government now says the number of compromised fingerprints illegally accessed in the second hack of the Office of Personnel Management (OPM) is five-times higher than originally thought. The government originally reported that 1.1 million fingerprints were stolen, but now the number has gone up to 5.6 million, the Department of Defense and OPM have said. The investigation of the breach by both agencies “identified archived records containing additional fingerprint data not previously analyzed,” the OPM stated. The agency downplayed the threat of the compromised biometric data, but said, “If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.” [Reuters] [Why OPM Hackers Wanted Fingerprints]

Big Data

US – UCLA Project Tackles Data

The next scholastic foray for Christen Borgman, the distinguished professor and presidential chair in information studies at UCLA, involves interdisciplinary data use and how the subject of the data impacts how it is handled, “with the aim of simplifying the complexities of data practices and challenging prevailing assumptions about the value of sharing data.” The “If data sharing is the answer, what is the question?” project aims “to provoke a much fuller and more comprehensive conversation about the diversity of data and practices, the infrastructure required to support them and the roles and responsibilities of varied stakeholders,” said Borgman, who has also written a book on the subject. [UCLA’sNewsroom]

WW – Is Data-Driven Sales Tech Crossing the Creepy Line?

The rise of data-driven tools uses predictive analysis and automation to help generate more effective sales. Burgeoning technological tools are helping companies determine those most likely to make a purchase, for example. A number of start-ups interested in automating sales departments have accumulated around $400 million in venture capital in the last two years, the report states, but some of the tools “seem creepy,” allowing salespeople, in one example, to see when a potential client reads an email and for how long the client lingers, so the salesperson can follow up during a time of potential peak interest. Meanwhile, the Center for Digital Democracy and the U.S. Public Interest Research Group are asking the FTC to protect consumers from unfair lead-generation practices. [The Wall Street Journal]

WW – Data Should Be Accessible, But Not Too Accessible

Citing an education study in which researchers were able to examine the tax returns of students to gauge their future success, scientists and privacy advocates discuss what the balance of data access and privacy ought to be. “There is … concern that the rush to use these data could pose new threats to citizens’ privacy,” the report states. “The types of protections that we’re used to thinking about have been based on the twin pillars of anonymity and informed consent, and neither of those hold in this new world,” said New York University’s Julia Lane, adding, “Difficulty in access is a feature, not a bug … It should be hard to get access to data, but it’s very important that such access be made possible.” [Nature]

WW – Behavioral-Based Premiums Makes Privacy Community Nervous

Swiss health insurance company Dacadoo’s controversial consideration of upping premiums for the lazy has the privacy community examining the move’s potential impact. “There’s no solidarity if someone who does a lot of sports and takes care of their health has to pay the same high premiums as someone who smokes, drinks and drives and does not play sports,” said Dacadoo’s Peter Ohnemus. His words point toward a U.S. trend, the report states, noting, “The proliferation of Internet-of-Things devices is already creating a market for data that could give companies more insight into the behavior of their customers—or, in the case of insurance firms, on whom to place bets.” [Ad-Age]

WW – Industry 4.0 Emphasizes IoT, Data Security

A Boston Consulting Group primer looks at the nine pillars of Industry 4.0, or “the next phase in manufacturing, known as the post-information revolution.”  The pillars span everything from cybersecurity and the Internet of Things to the cloud and big data, “all of which IT professionals must understand in order to effectively compete in the next 10-20 years,” the report states. The future of technology must include a discussion on ethical implications as well, Lisa Morgan writes forInformation Week, noting, “while organizations usually have stated privacy policies, more could be done to ensure the ethical use of data.” Meanwhile, UNESCO also considered Internet ethics during its recent consultation, West Indies News Network reports. [Business to Community]

WW – Privacy and the Rise of Artificial Intelligence

Here are the latest developments from IBM’s artificial intelligence system, better known as Watson. “I have seen the future, and it is a world of unparalleled convenience, untold marketing opportunities and zero privacy,” writes James Niccolai. The catalyst for his report is a recent event held by IBM to share what will become available to developers for constructing smarter, “cognitive” applications. With the dramatic rise in data collection, artificial intelligence will play a significant role in weeding through and making sense of the “mountains of information” to “make decisions we can no longer arrive at through traditional programming,” Niccolai writes, adding, “This isn’t big data; it’s gargantuan data.” [IDG News Service]

Canada

Lawmakers in Ontario tabled Bill 119, which would amend the Personal Health Information Act. The amendments aim to require breach reporting, loosen rules around prosecution and double fines for “snooping” by healthcare workers.

In a recent ruling, BC’s Court of Appeal has limited police access to text messages.

Consumer

WW – Apple: User Experience Shouldn’t Be At Privacy’s Expense

Apple CEO Tim Cook published an open letter decrying corporations that offer their services for free while, in turn, utilizing user information for advertising profit, a move some believe to be a shot at its competitors. “A few years ago, users of Internet services began to realize that when an online service is free, you’re not the customer. You’re the product,” wrote Cook. “But at Apple, we believe a great customer experience shouldn’t come at the expense of your privacy.” The letter was released with information on Apple’s privacy policy “to explain how we handle your personal information, what we do and don’t collect and why,” Cook added. [Fortune]

US – Survey Shows Consumer Security Concerns

A Parks Associates study, Privacy and Big Data: Safeguarding Consumers, indicates that Internet-of-Things security concerns are rampant among Americans, with 40% specifically concerned about the vulnerability of their smartphones. “Big data offers tremendous opportunities to enhance every aspect of business operations, but it carries a whole new level of liability and responsibility,” Parks Associates’ Brad Russell said in a media release. “Service providers, manufacturers and app developers can all build personalized value-added services based on the data generated by these devices, but first consumers need to have the confidence to use these devices. Security is the price of big data benefits.” [EINews]

WW – In-Store Tracking Continues to Grow

Retailers’ use of mobile phone-tracking continues to grow in popularity. Gleaning data in this fashion has been “cheap and easy to install, gave us continuous live data streams and had the least security and data protection issues,” said Bernard Marr, who used such tracking “to help a client understand some basics about shopper behavior in retail stores,” the report states. Indeed, “in the U.S., there is very little comprehensive regulation of privacy and data collection by nongovernmental entities,” one attorney notes, while another, Paul Lanois points out, “If enough data can be tied to an identifier over the course of time, then it would be possible of course to identify the user of the device.” [Forbes]

US – Ads That Smile Back and Big Data in the Air

Coffee company Bahio utilized a Microsoft Kinect camera in its ads to collect 42,000 facial responses. Eventually, after scanning multiple faces, “the images and taglines changed to reflect viewers’ reactions,” the report states. While critics argue that “ads like these further erode individual privacy and consumers’ ability to choose who gets their data,” David Cox of M&C Saatchi, one of the companies that developed the ad technology, disagrees. “Each interaction is given a number; that’s it,” he said. “We’re trying not to be creepy.” Meanwhile, SmartDataCollective reports that for airlines, “trillions of calculations are being number-crunched to transform this goldmine of data opportunity into real, tangible high revenue opportunities for the airlines and their frequent flyer programs.” [Quartz]

WW – “Siri, Are You Keeping My Secrets?”

Apple’s iOS release and the digital assistant therein is giving privacy advocates pause. Users no longer need to press a button to ask “Siri” a question; instead, the phone constantly listens to conversations, waiting for an opportunity to assist with things like directions—or even to tell a joke. “When you enter the realm of always-on devices, there are real privacy implications that need to be addressed,” said Marc Rotenberg of the Electronic Privacy and Information Center. Even if the user consents, he added, those nearby may not agree “to the routine recording of everything they might say.” [The Washington Post]

E-Mail

WW – Google Unveils Opt-Out, Auto-Spam Features

Google has unveiled two new features for Gmail. The “block sender” function allows users to block people from sending emails by automatically sending blocked emails to the spam folder. The unsubscribe feature allows users to stop receiving promotional emails without dealing with the typical “why are you leaving?” process involved in unsubscribing, essentially overriding the opt-out mechanism provided by the company sending the email. While typically that company would be responsible for the consent function, this feature changes that. The unsubscribe feature is available on Gmail’s updated Android app, the report states, but iOS users don’t have access yet. [Wired]

Encryption

US – Working Group Considers Ways to Access Encrypted Data

An Obama administration working group has come up with four possible approaches that tech companies could implement that would allow law enforcement to access encrypted data. Each of the methods could be implemented, but each also has shortcomings. [Washington Post] [Washington Post] [SCMagazine]

US – White House Had Explored Smartphone Encryption Workarounds

Behind-the-scene attempts by an Obama administration working group to get tech companies to provide law enforcement with access to encrypted communications technology. Although the group said the four approaches it identified were “technically feasible,” each had drawbacks, too. According to senior officials, the potential solutions were not intended as “administration proposals” for fear of blowback, the report states. The National Security Council’s Mark Stroh said the administration “continues to welcome public discussion of this issue as we consider policy options.” While the group did not offer technical solutions, it did include guiding principles—two of which included no bulk surveillance and no “golden keys” for government access. [The Washington Post] See also: [The White House has indicated it will not seek legislation to mandate backdoors to encrypted communication services]

US – NSA Director Agrees that Encryption Key Copies Increase Likelihood of Breaches

During a Senate Intelligence Committee hearing on Thursday, September 24, NSA director Admiral Michael Rogers acknowledged that if the government holds encryption keys, there is a significantly higher risk of data breaches. Rogers was responding to a question from Senator Ron Wyden (D-Oregon). [VentureBeat]

WW – Let’s Encrypt Issues its First SSL/TLS Certificate

Let’s Encrypt, the free open source certificate authority (CA), signed its first certificate earlier this week. The project is currently in beta status. [ZDNet] [The Register] [ComputerWorld]

WW – Encryption Now a Part of Internet.org

Internet.org, Facebook’s free web services platform for developing countries, now boasts encryption—a 180-degree turn from May announcements that the program would operate without it. “Internet.org is pledging not to store any data on how people actually use the services,” the report states. “In its new data retention policy, the service promises to only store domain name information and the amount of data used, along with device information that would be visible even if the traffic were encrypted.” While “more detailed information will still be visible to Internet.org,” the report adds, “the platform says it won’t collect that data.” [The Verge]

EU Developments

EU – Safe Harbor Invalid, Says Top EU Court’s Advocate General

There has been a major development in the closely watched Schrems v Data Protection Commissioner case now in front of the European Court of Justice (ECJ): The ECJ’s Advocate General, charged with providing reasoned and impartial opinions to the court for its consideration, has delivered an opinion saying not only that the Irish Data Protection Commissioner has the right to investigate Facebook’s data transfers regardless of the Safe Harbor agreement, but also that the Safe Harbor agreement itself is “invalid,” due to the law-enforcement access to EU citizen data revealed by Edward Snowden. Denis Kelleher writes for Privacy Tracker about why this makes the Schrems case very interesting, indeed. [IAPP.org] See also: [BCRs Looking Good After Safe Harbor Opinion? Here’s Some Help]

EU – Schrems Reacts to Advocate General’s Opinion

It’s been a long road for Austrian student Max Schrems’ group Europe v. Facebook, but today, Schrems is celebrating. European Court of Justice (ECJ) Advocate General Yves Bot has issued his opinion in a case originally filed by Schrems alleging the U.S. National Security Agency collected Europeans’ data via Facebook in violation of EU law, and it looks like Schrems’ work may not have been in vain. Bot agrees with Schrems, it seems, and his opinion could mean big trouble for data transfers from the EU to the U.S under Safe Harbor—especially without changes to the role mass surveillance systems play in data access. [IAPP.org] See also: [EU What’s Next for Safe Harbor?]

EU – 50 EU Parliamentarians Send U.S. Letter on “Digital Protectionism”

Fifty members of the European Parliament have released an open letter directed at the U.S. refuting claims, including by President Barack Obama, that the EU is engaging in “digital protectionism.” The letter states, “While we admire the dynamism and success of Silicon Valley, we trust in Europe’s ability to foster talent, creativity and entrepreneurship. The acronym ‘GAFA’ is not one we ever use, and we do not see legislation as a way to manage the growth of companies.” GAFA stands for Google, Apple, Facebook and Amazon, and has been used as a term to describe American imperialism, according to a Quartz report from 2014. Meanwhile, MEP Viviane Reding opines on the EU-U.S. Umbrella Agreement. [ZDNet]

EU – Privacy Commission: Don’t Be Intimidated by Facebook

An attorney for the Belgium Privacy Commission told a judge not to be intimidated by Facebook in a case in which the commission is trying to require the company to change its privacy policy for Belgian citizens. “Don’t be intimidated by Facebook,” said a commission official. “They will argue our demands cannot be implemented in Belgium alone,” he said, adding, “Our demands can be perfectly implemented just in this country.” An attorney for Facebook queried, “How could Facebook be subject to Belgian law if the management of data gathering is being done by Facebook Ireland and its 900 employees in that country?” [Bloomberg Business]

EU – CNIL Rejects Google’s RTBF Appeal

The French data protection authority, the CNIL, has rejected an appeal by Google on the so-called right to be forgotten. The CNIL has ordered Google to apply the decision to honor European takedown requests across all its websites, not just EU-based ones. The CNIL wrote, “Contrary to what Google has stated, this decision does not show any willingness on the part of the CNIL to apply French law extraterritorially … It simply requests full observance of European legislation by non-European players offering their services in Europe.” Google, which could now face fines up to $340,000, said it disagrees with the CNIL, adding, “We’ve worked hard to implement the right-to-be-forgotten ruling thoughtfully and comprehensively in Europe, and we’ll continue to do so.”[The New York Times]

EU – Media Orgs Object to CNIL’s May RTBF Order

The Reporters Committee for Freedom of the Press, alongside 29 other U.S. media organizations, sent a letter to French privacy regulators (CNIL) objecting to its May order that Google expand its Right To Be Forgotten delisting to all global iterations of the site. This, said the letter, is an “unacceptable interference with what people in other nations can post and read on the Internet.” The letter, according to the report, comes as CNIL considers whether to appoint a special rapporteur to respond to Google’s refusal to abide by its order. “We want to see the Internet as free and open as possible,” said Reporters Committee Executive Director Bruce Brown. “The order interferes with that.” [Columbia Journalism Review]

Research from Queen Mary University of London’s School of Law and lawyers at Pinsent Masons indicates the General Data Protection Regulation (GDPR) “will require big improvements to organisations’ computer security.”

The GDPR’s implications for protecting employee data is analyzed.

Amendments to Germany’s telecommunications law to meet the need for expanded WiFi access has privacy advocates and others concerned.

Facts & Stats

WW – Security Spending to Top $75 Billion

A new report from Gartner forecasts that security spending across the globe will reach approximately $75.4 billion in 2015, in large part driven by government initiatives, legislation and massive data breaches. “Interest in security technologies is increasingly driven by elements of digital business, particularly the cloud, mobile computing and now also the Internet of Things, as well as by the sophisticated and high-impact nature of advanced targeted attacks,” said Gartner Research Analyst Elizabeth Kim. She also said organizations are investing in endpoint detection, remediation and cloud security tools and threat intelligence. [ZDNet]

US – Getting Data Protection Wrong a Costly Mistake

The cost of post-breach clean-up is growing in severity, and it can act as a powerful motivator for companies to get data protection right. “U.S. businesses didn’t need another reason to get very serious, very quickly, about cybersecurity, but now they have one,” said STEALTHbits’ Jeff Hill. “Add the cost of litigation in an increasingly hostile legal environment to the list of unsettling data breach consequences that already includes reputation loss, customer exodus, embarrassment and federal government fines.” The report comes on the heels of a Kaspersky Lab survey that found small businesses need a budget of at least $38,000 to be able to handle breaches. [ InfoWorld]

Filtering

TH – Thai Single Gateway Plan Criticized

Thailand’s government is facing public outcry over its plan to establish a single Internet gateway for the country. Opponents of the plan say it will slow down Internet service and could cause enormous problems if it were to fail. They also noted that it would likely discourage foreign companies from doing business in Thailand. [ZDNet]

Finance

US – New Data Breach Guidance from PCI SSC

The Payment Card Industry Security Standards Council (PCI SSC) has published guidance for organizations to handle data breaches effectively and with minimal financial consequence. “Prevention, detection and response are always going to be the three legs of data protection,” said Stephen W. Orfei, PCI SSC general manager. “Better detection will certainly improve response time and the ability to mitigate attacks, but managing the impact and damage of compromise comes down to preparation, having a plan in place and the right investments in technology, training and partnerships to support it.” The guidance may prove timely for organizations looking to avoid expensive breach claims, which a NetDiligence study found averaged $4.8 million in 2015 for large companies. [Out-Law.com]

WW – Survey: Cybersecurity Experts Happy to Make Mobile Payments Despite Risks

According to a recent survey of 900 cybersecurity experts, 87% expect an increase in mobile payment data breaches over the next 12 months, but 42% have used the payment method in 2015. The 2015 Mobile Payment Security Study by ISACA indicates cybersecurity professionals, while aware of the risks, are willing to balance the benefits of mobile payments, the report states. “ISACA members, who are some of the most cyber-aware professionals in the world, are using mobile payments while simultaneously identifying and contemplating their potential security risks,” said ISACA’s John Pironti in a media release, adding risks shouldn’t slow down mobile payment adoption as long as they are properly managed. [Full Story]

US – SEC Fines Investment Firm $75,000

Missouri-based investment firm R.T. Jones Capital Equities Management has agreed to settle with the SEC and pay $75,000 over charges that it did not have a cybersecurity policy in place prior to a data breach that compromised the personal information of 100,000 individuals. During a four-year period, the firm stored the sensitive data on a third-party server, which was eventually breached in 2013. The SEC alleged the company never had any cybersecurity polies or procedures in place and did not conduct risk assessments or implement any security protections like firewalls or encryption. McDermott Will & Emery’s Eugene Goldman said, “This is the start of a series of similar actions that will be brought this year and next.” [InvestmentNews]

US – EMV Implementation is Chip-and-Signature, Not Chip-and-PIN

As of October 1, 2015, US retailers were supposed to have adopted technology that allows them to accept chip-and-PIN payment cards. The technology, also known as EMV (for EuroPay, MasterCard, Visa), aims to provide stronger security for payment card transactions. However, what has been implemented in the US is chip-and-signature instead of chip-and-PIN. Not requiring cardholders to enter a PIN to verify purchases diminishes the security of those transactions. http://www.wired.com/2015/09/big-security-fix-credit-cards-wont-stop-fraud/ [SC Magazine] [CNET]

FOI

US – UC Berkeley First to Release Transparency Report

The University of California-Berkeley, is now the first U.S. university to have published a set of transparency reports on government data requests. The reports outline requests on student, faculty and staff data. Berkeley has stressed the importance of digital privacy on campus for some time. It’s got 37,000 students and up to 100,000 devices potentially connected to its network at any time. The school sometimes handles law enforcement data requests, and its new report explains how, with processes that include a request form to be reviewed by the school’s privacy office before being approved or denied. [Slate]

Genetics

US – Genetic Database Privacy Questions Remain

A National Institute of Health (NIH) Advisory Group’s recommendations on the Precision Medicine Initiative (PMI) genetic data database indicate a “thoughtfulness and thoroughness” regarding the project’s privacy sensitivity, but “significant questions” remain, the American Civil Liberty Union’s Jay Stanley writes. “It does not look as though this will be an airtight, privacy-protective system where subjects’ data will be technologically guaranteed private,” Stanley writes, noting “the cybersecurity questions are considerable. A fair amount of trust will have to be placed by participants in those who run this program.” He also recommends PMI “be studied and analyzed closely by privacy advocates.” [Free Future]

Health / Medical

US – Hackers Are Focused on Health; Employee Error Concerns Persist

A Raytheon/Websense Security Labs study has found that health services combat 340% more cyber-attacks than other types of organizations. “It’s clear that with the amount of personally identifiable and proprietary information available and inherent as part of the healthcare industry, it will remain an attractive target to attackers and a potential weak point for untrained employees,” said the survey’s authors. However, a new survey by Scrypt has found that the primary “concern in terms of HIPAA breach potential within healthcare organizations is around staff or human error.” Executive Insight offers tips on getting healthcare security right, with one PR professional noting, “If patient data is breached, the hospital’s reputation is immediately jeopardized.” Meanwhile, a CNNreport indicates that some organizations’ wellness programs may not protect employees’ privacy. [FierceHealthIT]

US – Fitbit Now HIPAA-Compliant

Fitbit devices are now HIPAA-compliant. “We have gone through a third-party audit and we are now HIPAA-compliant as an organization,” said Fitbit Wellness Vice President and General Manager Amy Donough, adding that enables the company to “be able to sign business associate agreements and work with covered entities … We’ll be able to more deeply integrate and partner with some of these organizations to be able to have more effective and more engaging wellness programs.” Donough noted that while personal health information isn’t “the information we share or create today … it will become important as we continue to grow.” [MobiHealthNews]

Horror Stories

US – T-Mobile Customer Data Compromised in Experian Breach

A breach of an Experian database affects 15 million US T-Mobile customers. Experian processes credit checks for T-Mobile customers. The compromised data include names and Social Security numbers (SSNs) but not financial account information. The breach affects data collected between September 1, 2013 and September 16, 2015. [The Hill] [The Register] [Wired]

UK – Millions of Nuisance Calls Result in Record Fine

The Information Commissioner’s Office has fined Home Energy & Lifestyle Management (Helms) 200,000 GBP, a record amount, for making six million nuisance calls. “This is a clear breach of the rules. The data controller—the company—has to take responsibility for this,” said Information Commissioner Christopher Graham, who indicated “companies should make their directors personally liable for breaches,” the report states. However, Helms maintains that the third party in its employ that made that calls was at fault. Helms “always accepted they were responsible,” an attorney for Helms said, adding, “But there is a distinction between a deliberate act and a negligent act.” Helms plans to appeal the decision. [The Telegraph]

WW – Hotels, Healthcare Orgs Report Breaches

The Trump Hotel Collection has announced point-of-sales systems at seven of its hotels in the U.S. and Canada “were infected with malware, potentially affecting an unspecified number of customers.” Information including account numbers, security codes and cardholder names “of individuals who used a payment card at the hotel between May 19, 2014, and June 2, 2015, may have been affected,” Trump Hotels has said. Meanwhile, Palo Alto VA Health Care System reportedly “unlawfully gave patient data to a private IT company despite employees not having cleared background checks,” and “16,000 people are being notified of a major risk to their private health information following an email attack” on Oakland Family Services, a Michigan-based nonprofit. [BankInfoSecurity]

US – Kardashian’s Site Security Flaw Left 600,000 Vulnerable

A curious developer discovered an unprotected API on one of the Kardashian sisters’ new websites, which not only left upwards of 600,000 users’ personal information vulnerable, but also gave the interloper the ability to manipulate data. The 19-year-old developer, Alaxic Smith, promptly reported the issue to the site’s creator, Whalerock, which patched the hole. “Our logs indicate that (Smith) was able to access only a limited set of names and email addresses,” Whalerock said in a statement. “No one else had access and that no passwords nor payment data of any kind was exposed. Our highest priority is the security of our customers’ data.” However, “the company is still in the process of validating what data was breached, and what, if any, data was actually saved or archived by Smith himself,” the report continues. [Tech Crunch]

Internet / WWW

WW – UN Report Proposes Stricter Internet Regulation

A newly released report from the United Nations’ Broadband Commission for Digital Development is titled “Cyber Violence Against Women and Girls: A World-Wide Wake-Up Call.“ The report declares online violence against women and girls, or “cyber VAWG,” a “problem of pandemic proportion.” Dewey agrees with this assessment but disagrees with the report’s recommendations that countries around the world enact regulations that would hold Internet companies like social media sites and chat rooms responsible for the content created on them and only “license” those sites that agree to heavily moderate the content they host. [The Washington Post]

US – US and China Announce Cyber Espionage Agreement

At a press conference last week, US President Obama and Chinese President Xi Jinxing announced that they had reached a “common understanding” regarding cyber espionage. The leaders agreed that both countries will not “conduct or knowingly support cyber-enabled threat of intellectual property.” There is skepticism that the agreement will result in change. [SC Magazine] [Wired] [DarkReading]

WW – Cybersecurity Pact With China Lauded

The agreement between Chinese and American heads of state to view online issues with increased gravity was a wise move. “They made some significant progress in doing this,” said James Lewis of the Center for Strategic and International Studies. The two administrations also pledged to create a group to track their cooperation in responding to cybercrime as well as a hotline “to resolve disputes over sharing information related to those crimes,” the report states. [The Daily Dot] SEE ALSO: [China Focus Could Spawn Future Issues]

US – CISA Stance Clarified

After Salesforce received criticism for signing a letter that some interpreted to be a support of the controversial CISA cybersecurity information-sharing bill, Salesforce’s CEO clarified the company’s stance via Twitter.

Location

WW – Roomba 980 Can Now Map Your House

The company behind Roomba, iRobot, has a new offering: the Roomba 980, which comes equipped with a camera and software that allows the device to gradually map its location. “Being able to localize in the environment is a foundational capability,” said iRobot’s Chris Jones. “You can imagine the day when a robot in the home can perceive and understand salient objects in the environment—that’s a couch, that’s my oven—that type of thing.” The company is wise to privacy questions around the new offering. “A representative explains that the maps are not transmitted from Roomba, and they are deleted after the robot finishes cleaning a room,” the report states. [MIT Technology Review]

WW – Getting the “Drops” on Reshipping

With so many retailers now refusing to ship to Russia or Eastern Europe because of the endemic of organized cybercrime, how do these cyber-thieves use the credit card numbers they’ve stolen? The answer is “reshipping,” a practice documented in the report “Drops for Stuff,” newly released and written by eight security researchers. How does it work? “Operators” recruit “drops” to receive goods and then reship them to “stuffers” who then sell them on the black market. This allows cybercriminals to turn a $10 purchase of a stolen card into $700 in black market cash. [KrebsonSecurity]

The Electronic Privacy Information Center has filed a Freedom of Information Act lawsuit against the U.S. Coast Guard and the Department of Homeland Security over a program that tracks and records boaters’ locations.

Online Privacy

WW – App Pays $11 Per Month To Track Users

Data collection start-up Symphony Advanced Media has released a video-tracking app that will pay users $11 per month to let it track all of their video viewing habits. VideoPulse uses a passive-listening program that hears what a user is watching in order to track it. The goal is to accurately gauge video analytics—an oft-debated issue in media circles, the report states. “There has been a significant void in understanding how consumers are using nontraditional media platforms, but innovation has finally arrived in the media measurement space,” said Symphony Advanced Media CEO Charles Buchwalter. The app currently has approximately 15,000 users and is being tested by several companies, including NBC, Viacom, Warner Bros. and A&E Networks. [Mashable]

US – EFF Announces Adzerk Will Honor DNT

Advertising company Adzerk, whose clients include Reddit, Stackexchange and Bittorrent, pledged to both respect user do-not-track requests and not have their ads “blocked by the major ad-blocking software.” “Blocking interfaces in browsers and operating systems are not only necessary for user freedom, security and privacy, but they are actually beginning to produce genuine improvements in the practices of the advertising industry,” said the Electronic Frontier Foundation’s Peter Eckersley and Alan Toner in a statement. “Apple should be congratulated for helping to make this happen, and those who are fearful about the future of the advertising-funded web should join us, Adzerk and other companies in helping to ensure that there are fewer reasons for users to need to block ads in the first place.” [BoingBoing]

WW – “Like” Button Data To Determine Ads

Facebook has announced it will use data gleaned from its “Like” buttons to tailor specific ads to users. “After the change, the types of sites you visit could be used to tune ads shown to you inside Facebook’s social networking service, its photo-sharing service Instagram and mobile apps that use Facebook’s ad network,” the report states. Facebook has also announced an opt-out for the ads, but the Electronic Frontier Foundation’s Rainey Reitman said, “Promising not to use information is not the same as promising to actually delete the data. The ‘Like’ data is especially problematic. Most people probably don’t even realize that whenever they load a page with a ‘Like’ button on it, Facebook gets a little information on them.” [Technology Review]

WW – Apple Updates Privacy Policy

Everyone, regardless of what devices they use, “should take a look at the latest edition of Apple’s privacy policy.” The policy, which includes details about data collection, “is a shining example of how easy to understand, transparent and clear such a document should be. It sets a bar other tech firms should follow,” the report states. [Computerworld] SEE ALSO: [Do Simpler Privacy Policies Invite More Outrage? ] and [Should Privacy Policies List Marketing Partners?]

WW – Microsoft Responds to Windows 10 Concerns

Microsoft’s responded to privacy concerns about Windows 10. In a blog post , Microsoft’s Terry Myerson details the ways Windows 10 gathers and uses data, the report states. Myerson notes “Windows 10 collects information so the product will work better for you,” adding that users “are in control with the ability to determine what information is collected.” [The Verge] See also: [Microsoft’s Smith: Privacy and Security Balance Necessary] See also: [Microsoft Executive Vice President and General Counsel Brad Smith talks about the ongoing litigation with the U.S. Department of Justice over emails stored in Ireland and the importance of security equilibrium]

WW – IBM Releases Cloud Security Enforcer

IBM has released new cloud security technology that aims to help protect organizations from risks associated with the rise of “bring-your-own cloud apps.” Research conducted by IBM indicates “one-third of employees at Fortune 1000 companies are sharing and uploading corporate data on third-party cloud apps,” the report states. At the same time, they’re using weak passwords or signing in using personal email addresses. Given such risks, IBM’s Cloud Security Enforcer allows companies to see all the third-party cloud apps employees are using, “provides a secure way to access them and enables companies to control which corporate data can and cannot be shared with the apps.” [eWeek]

Other Jurisdictions

IN – Tech Leaders Urged to Ask Modi to Rethink Privacy

As Indian Prime Minister Narendra Modi travels to meet with the leaders of American tech powerhouses such as Apple CEO Tim Cook, many are calling for them to encourage Modi’s ideas for “Digital India” toward a greater respect of citizens’ privacy rights. Modi aims to use the trip “to showcase what a big market India is,” said Arvind Gupta of Modi’s Bharatiya Janata Party. However, Modi’s “Digital India project does not rest on a legal framework that respects privacy and sensitive information,” said Stanford’s Thomas Blom Hansen. “While India presents significant business opportunities, CEOs should tell Modi that they will oppose any steps that erode free expression or privacy rights,” said Human Rights Watch’s Brad Adams. [The Washington Post] After much criticism, India’s government has pulled its draft encryption legislation.

RU – Russian Court Fines Google Over Alleged Privacy Violation

A Moscow city court has fined Google nearly 800,000 euros (50,000 rubles) for allegedly violating the privacy of a Russian citizen through its targeted advertising. The Russian citizen sued the company for illegally reading his emails, but Google says its advertising is operated by an automated system. “Humans are not reading your emails,” Google told AFP, adding, “Our automated system scans emails in order to prevent spam reaching your inbox and to detect bad things like malware.” The decision could open the doors for more similar actions against the company. [AFP] [A Moscow city court has fined Google nearly 800,000 euros for allegedly violating the privacy of a Russian citizen through its targeted advertising.]

Qatar has reinforced its cybercrime law with the government’s approval of “an amendment that criminalizes photographing those who are injured or killed in accidents and posting them on social media.”

Australian MPs Terri Butler and Tim Watts have released a draft bill that would make revenge porn a federal crime.

The governments of Australia and South Korea have “signed a blueprint of defence and security cooperation between the two nations.”

Privacy (US)

US – Brill Calls for Advertisers to Be Upfront With Consumers

At the Better Business Bureau’s National Advertising Division Annual Conference, Federal Trade Commissioner Julie Brill used her keynote address to discuss the need for organizations to respect user privacy as they employ new advertising techniques such as tracking and data-sharing. “Advertising has become one of the most technologically advanced and data-driven industries in our economy,” Brill said. “However, it is not enough that companies communicate with and provide choices to consumers regarding retail mobile location tracking. They must also be truthful about these choices.” She also pushed for greater opt-out abilities for data-sharing online. “After all these years, consumers still don’t understand what’s happening with their personal information,” she said, “and they continue to struggle to control targeted advertising and data collection.” [FTC.gov]

US – “Unfair Methods of Competition” Statement Prompts Concerns

In a blog post, the Phoenix Center’s Lawrence J. Spiwak echoes Federal Trade Commissioner Maureen Ohlhausen’s sentiments on the FTC’s recently released Statement of Enforcement Principles Regarding ‘Unfair Methods of Competition’ Under Section 5 of the FTC Act, contending, “The FTC’s conduct in this case was certainly not an example of good government.” The next steps? “While the FTC deserves kudos for at least attempting to move the ball forward … my recommendation is that before we go too far down the road … prudence would dictate that we go back to the drawing board,” Spiwak writes, adding, “the American public deserve a well-reasoned and cohesive approach to Section 5’s unfair methods of competition standard.” [The Hill]

US – Comcast Settles With California for $33 million for Privacy Violations

Comcast has agreed to a $33 million settlement with the California Department of Justice and the California Public Utilities Commission for posting personal details online of customers who had paid for unlisted voice-over-Internet-protocol phone service. Comcast will pay $25 million to the two departments, $8 million in restitution to the 75,000 affected customers and has agreed to a permanent injunction mandating it strengthen rules on vendors that process personal information and provide additional monetary relief to customers “who have identified personal safety concerns” stemming from the disclosure of their data. “This settlement provides meaningful relief to victims (and) brings greater transparency to Comcast’s privacy practices,” said California Attorney General Kamala Harris. [Reuters]

US – Candidate Websites Fail Privacy Test

An Online Trust Alliance (OTA) survey of the 23 presidential candidates’ websites found that only six candidates protect basic user privacy. While cybersecurity ratings were high across the board, the omissions were dubbed “alarming” by the group, which found that some candidates’ sites didn’t have privacy policies posted. “One of them will be our next president,” said the OTA’s Craig Spiezle. Not all findings were doom and gloom, however. “Six candidates were lauded because they pledged in their privacy policies not to share personal information without users’ permission or a court order: Republicans Jeb Bush, Chris Christie, Rick Santorum and Scott Walker, and Democrats Lincoln Chafee and Martin O’Malley,” the report states. [The Wall Street Journal]

US – IA PP-EY Annual Privacy Governance Report 2015

Privacy, still nascent a decade ago, now employs thousands of professionals across the gamut of organizational structures and around the world. Yet there is still relatively little data about how the work of privacy is done. To that end, IAPP and EY surveyed a broad spectrum of organizations to document privacy governance—literally, how privacy is done. Today, we share the findings—the most comprehensive look at the structure and “how” of privacy governance we’ve ever released. At more than 150 pages, it is a document full of deep data and interesting trends, including looks at differing approaches taken by industry, by size of company, by maturity of program and by region of the world. Dive in. [IAPP.org

US – Schneier: Tech Needs Increased Regulation

As new technologies employ facial recognition and surveillance flourishes, more regulatory strides must be made, Bruce Schneier writes. “Despite protests from industry, we need to regulate this budding industry,” he notes. “We need limitations on how our images can be collected without our knowledge or consent, and on how they can be used.” Meanwhile, payment-processing company Worldpay has announced a prototype for a chip-and-pin terminal that “takes a photo of a shop customer’s face the first time they use it and then references the image to verify their identity on subsequent transactions,” a move that has inspired privacy concerns. [Forbes]

US – OIG: OCR Has Room for Improvement

After conducting two different reports, the Office of the Inspector General (OIG) has found the Office for Civil Rights (OCR) has “room for improvement” in both HIPAA compliance and post-breach procedures. “OCR had not announced when it will begin its permanent audit program,” the OIG said in its first study. “Without fully implementing such a program, OCR cannot proactively identify covered entities that are noncompliant with the privacy standards.” The second study found that over one third of OCR employees failed to ensure that covered entities “had reported prior large breaches” and called for the agency to “develop an efficient method in its case-tracking system.” Meanwhile, theOCR has announced that Phase 2 of HIPAA audits will begin in early 2016. [HealthIT Security]

US – IAPP Privacy Innovation Award Winners Announced

The winners of the 2015 IAPP Privacy Vanguard Award and the 13th Annual HP-IAPP Privacy Innovation Awards were honored for their work in the privacy field. Hogan Lovells Partner and Director of the Privacy and Information Management Practice and Co-Chair of the Future of Privacy Forum Christopher Wolf was recognized with this year’s IAPP Privacy Vanguard Award and hailed as a trailblazer in the privacy profession and a “Dean of the Industry.” Three organizations were honored with the HP-IAPP Privacy Innovation Awards in the large, small and innovative privacy technology categories: Intuit, TeleSign and AirWatch by VMware. The Privacy Advisor has all the details. [Full Story]

US – LinkedIn Settlement Approved

U.S. District Court Judge Edward Davila has given LinkedIn’s proposed $1.25 million settlement of a 2012 class-action suit final approval. The “plaintiffs’ claim does not assert that class members were necessarily harmed by the data breach, but that they overpaid for their premium LinkedIn subscription because they did not receive promised data security,” Davila noted in his opinion. “The deal requires LinkedIn to pay approximately $15 each to almost 50,000 users who purchased premium memberships to the service,” the report states, adding the company “must use security techniques including ‘salting’ and ‘hashing’ for at least five years.” [Media Post]

US – Proposed Seattle Budget Includes Funding for CPO

In his 2016 budget proposal, Seattle Mayor Ed Murray has included a request for funding for a chief privacy officer position. The new CPO would “address potential privacy concerns and safeguard personal data,” the report states. Seattle hired a chief technology officer in 2014 to oversee a privacy overhaul. The city also appointed a Privacy Advisory Committee and, based on guidance from that committee, created a citywide privacy policy. Murray is also seeking funding for police body cameras, the report states. “We will work carefully to get this right and adequately address privacy concerns” Murray said of the plan for body-worn cameras. [Geekwire]

US – Senators Want Update From Car Manufacturers

Sens. Edward Markey (D-MA) and Richard Blumenthal (D-CT) have sent letters to 18 automakers asking for an update on their efforts to protect consumers from the privacy risks presented by smart cars. The two launched an investigation into the matter in 2013, asking manufacturers to answer questions on consumer privacy and security, and Markey published a subsequent report outlining hacking and data collection risks. Now, the senators want an update on “company-specific information” that includes 2015 and 2016 vehicles, with any changes that may have been made to vehicles, policies or practices since Markey’s initial inquiry. The senators request the companies respond no later than October 16. [Multichannel News]

US – Parents Unfamiliar with Current Laws: Survey

A Future of Privacy Forum (FPF) survey found that while a majority of parents are concerned about the theft of their children’s academic data, more than half claim to have no knowledge of existing privacy legislation. The FPF reports that 87% of parents “worry about student data being hacked or stolen” but “54% say they know nothing about existing federal laws regulating the use of student data,” which may account for the 57% who are in favor of new privacy legislation. “This survey makes it clear that we must do a better job of explaining to parents how their children benefit from improving the effectiveness of education products based on things learned in the classroom,” said FPF Executive Director Jules Polonetsky. “And parents want a commitment that their student data will never be exploited. I think that’s a commitment they deserve. [Full Story]

US – Court Dismisses AOL Suit

The U.S. District Court for the Northern District of California has dismissed a class-action that alleged AOL violated the Telephone Consumer Protection Act (TCPA) “when users of its Instant Messenger service sent text messages to incorrect recipients.”  The decision is one of the first to evaluate claims under the FCC omnibus TCPA order “offering guidance on numerous issues, including the types of equipment subject to TCPA restrictions and the statute’s application to social app petitioners for text messages sent using their services,” the report states. The court found “the omnibus TCPA order reinforced prior FCC decisions that supported AOL’s arguments for dismissal,” the report states. [Inside Counsel]

U.S. District Court Judge Edward Davila has given LinkedIn’s proposed $1.25 million settlement of a 2012 class-action suit final approval.

Inching a step closer toward a major law enforcement agreement with the European Union, the U.S. House Judiciary Committee approved a bill that would give European citizens a right to sue in U.S. courts if their personal data is misused.

The recent IRS breach affecting more than 300,000 individuals has inspired the Senate Finance Committee to develop bipartisan taxpayer identity-fraud legislation, which will be debated.

Sens. Edward Markey (D-MA) and Richard Blumenthal (D-CT) have sent letters to 18 automakers asking for an update on their efforts to protect consumers from the privacy risks presented by smart cars.

A federal judge has granted class-action status to lawsuits by financial institutions that were victims of Target’s 2013 breach. “

Privacy Enhancing Technologies (PETs)

WW – Security-Minded Blackphone 2 Ready for Preorder

Amidst news this week about privacy-focused smartphones heading to market, Sikur GranitePhone is now available for preorder. The phone aims to connect users while guarding their privacy, which Sikur CEO Frederico d’Avila said popular smartphones do not do adequately, the report states. “They do not always care about security,” d’Avila said, adding, “That’s why we came to that place, to help the customer to have that right solution for their privacy. They’re not looking to security as we do, because we’re living for that.” The recent smartphone announcements come as some analysts question mobile data tracking’s impact on user privacy. [CNET]

WW – Two New Privacy-Focused Phones on the Market

Those who place a premium on private mobile calling and surfing have two new options this fall. First up is the second release from Silent Circle, the Blackphone 2. The Android-powered device features the Silent OS, an “Enterprise space” for companies to cordon off company data from personal data and peer-to-peer encrypted voice and video, among other features. It’s now available to order for $799. Blackberry has announced it will release an Android-powered phone it’s calling the Priv, which “combines the best of BlackBerry security and productivity with the expansive mobile application ecosystem available on the Android platform.” No word on price yet. [9to5Google]

WW – Secure Messaging App Use Booms

Telegram Founder Pavel Durov announced at TechCrunch Disrupt SF that the encrypted messaging service has gone from a billion messages exchanged per day to 12 billion in eight months. This, he argues, indicates privacy’s growing importance in the eyes of consumers—and companies. “Privacy is not something that is relevant only to business users, but businesses are most affected because they could be blackmailed,” he said. The app’s growing appeal has even attracted terrorist groups, the report states. When asked if that is reason for concern, Durov said, “That’s a very good question, but I think that privacy, ultimately, and our right for privacy is more important than our fear of bad things happening, like terrorism.” Meanwhile, G Data has announced “Secure Chat,” a free “tap-proof” messaging app for Android. [TechCrunch]

WW – Security Tool Strengthens Online Anonymity

The Dissent is a cryptographically backed network that, when used in conjunction with the Tor network, can markedly improve online anonymity. Dissent uses a DC-net, first proposed by a cryptographer in 1988. Though its performance is much slower than Tor, it is a more effective alternative for achieving online anonymity. “One of the most important things to understand about Dissent,” said project lead Bryan Ford, “is that it’s not going to be a drop-in replacement for Tor, at least not in its current form.” One possible use for Dissent, the report states, “would be to create a privacy-preserving WiFi networking layer.” [Motherboard]

US – UJO: Privacy’s Newest Attack Dog

Thanks to the new device CUJO, users can see when their data is being tampered with. Named after the canine antagonist in the Stephen King novel, the tool functions as a guard dog of sorts, keeping tabs on “how much data, the type of data, and where it’s going,” the reports states. “If it detects an anomaly, it will alert you on the physical product as well as through an app notification,” with the position of the device’s LED “eyes” an indicator if something’s amiss. [Fast Co Design]

RFID / IoT

US – Hoofnagle Examines FTC’s TRENDnet Case

“The FTC’s matter against TRENDnet is especially important for the emerging Internet of Things,” UC Berkeley’s Chris Hoofnagle writes. After TRENDnet-produced SecurView cameras were hacked and live feeds were shared publicly, the FTC “sought to have TRENDnet answer the question of whether it can be trusted by consumers,” Hoofnagle writes, adding, “when one reads the TRENDnet 2014 report, more questions are raised than answered.” TRENDnet’s report indicates “several weaknesses of the FTC’s assessment approach to oversight. The TRENDnet report—and reports filed by other companies—are full of confusing jargon,” Hoofnagle writes. And with TRENDnet’s report “just one of over 100 such reports that the FTC is receiving nowadays under its supervision of data privacy and security cases,” Hoofnagle writes, the agency “cannot effectively supervise all the companies under consent decree.” [Full Story] SEE ALSO: [IoT Needs Privacy and Security? Hogwash]

US – DARPA Seeking Research Proposals for Analysis of Involuntary Analog Emissions

The Pentagon’s Defense Advanced Research Projects Agency (DARPA) is looking for technology capable of monitoring Internet connected devices like refrigerators and thermostats, often referred to as the Internet of Things (IoT). Specifically, DARPA is seeking “algorithms, tools, and devices for mapping analog emissions of digital devices.” [NextGov] [FBO]

Security

US – Survey: Confidence in Security Investments Is Low

More than 80% of respondents to EMA Research’s 2015 State of File Collaboration Security survey “admitted that there have been data leakage incidents in their organizations,” with only 16% espousing high levels of confidence in their cloud system security. “Data dissemination and file collaboration are natural parts of most business and operational workflows, so security must be an integral part of the workflow to protect information,” said EMA’s David Monahan. “Unfortunately, protecting sensitive and regulated data within shared files remains a significant exposure within many organizations,” he said, adding, the “lack of capability to control unstructured data … will not only yield more data privacy breaches but will impact the adoption of advanced enterprise and cloud content management systems.” [Infosecurity Magazine]

EU – Ansip Announces Awareness Campaign

European Commission (EC) Vice-President for the Digital Single Market Andrus Ansip announced via blog post that the EC will begin a cybersecurity awareness campaign that aims to increase online security knowledge. The program includes “over 150 promotional events and activities to take place in 27 countries, with the goal of educating people about protection from digital criminals,” the report states. “People will hesitate to use e-services if they are not confident that they are reliable, safe and secure,” Ansip said. “They may actually choose not to use them at all,” and thus “we have to stay one step ahead.” [Billboard]

US – Audit Finds MIDAS Severely Vulnerable

The Department of Health and Human Services (HHS) has discovered that MIDAS, “the central electronic storehouse for information collected under President Barack Obama’s healthcare law,” has 135 system vulnerabilities, “of which nearly two dozen were classified as potentially severe or catastrophic.” “It sounds like a gold mine for ID thieves,” said the Electronic Frontier Foundation’s Jeremy Gillula. “I’m kind of surprised that this information was never compromised.” Medicare’s Andy Slavitt said “the privacy and security of consumers’ personally identifiable information are a top priority” and the problems were immediately addressed. “But,” the report states, “the episode raises questions about the government’s ability to protect a vast new database at a time when cyber-attacks are becoming bolder.” [ABC News]

US – Pentagon Issues Guidance on Breach Notices

Following the major hacks at the Office of Personnel Management, the Pentagon has issued guidance to the Department of Defense (DoD) “on considerations for making public announcements regarding breaches of private information.” In a letter, Michael Rhodes, senior official for privacy at the DoD, said the department “must continue its efforts to promote a culture to continuously ‘think privacy’ and act swiftly to develop and implement effective breach mitigation plans, when necessary.” Rhodes added that no two breaches are alike, so case-by-base analysis as well as “the use of best judgment is required for effective breach management.” [FEDweek]

US – President: “Basic International Framework” Needed

U.S. President Barack Obama has called for a “basic international framework” on cybersecurity. As Chinese President Xi Jinping’s Washington, DC, trip nears, Obama said the U.S. aims to illustrate that “economic cyber attacks” are “something that will put significant strains on a bilateral relationship if not resolved and that we are prepared to take some countervailing actions.” This comes on the heels of a revelation that China’s government “distributed a document to some American tech companies” asking they “pledge their commitment to contentious policies that could require them” to hand over user data, The New York Times reports. And Tech Times reports the Chinese government is allegedly constructing a Facebook-esque catalogue of U.S. officials. [Reuters]

US – Docs Illustrate the Days After the Target Breach

Target’s actions immediately following its 2013 breach. Days after the breach exposed 40 million customer debit and credit card accounts, the company hired Verizon security experts to look for system vulnerabilities. The results of that investigation, which haven’t been publicly revealed until now, confirm “what pundits have long suspected,” the report states. “Once inside, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store.” The report also found that while Target has a password policy, it wasn’t being followed. [KrebsonSecurity]

Surveillance

UK – M15 Director: “Snoopers’ Charter” Necessary

M15 Director-General Andrew Parker has said the UK intelligence agency’s ability to spy on communications data is no different than “the work spies have been doing for a hundred years.”  Parker said the so-called “snoopers’ charter” is crucial to protect citizens as the number of threats against the UK is as high as he’s seen in his 32-year career. “We need to be able to do what we have always done through our history,” he said. “To find and stop the people who threaten the UK, we need to be able to monitor the communications of terrorists and spies and others who threaten the country.” Meanwhile, a new legal challenge to surveillance programs was filed by Human Rights Watch. [Financial Times]

WW – How TV Shows Portray Mass Surveillance

Pop culture blogger Alyssa Rosenberg discusses how television programming portrays mass surveillance and predictive policing. “The rise of increasingly sophisticated surveillance technology has been a rich inspiration for popular culture in recent years,” she writes, noting “network television now has three shows on the subject.” She notes the bevy of surveillance-related shows on national television demonstrates “the mood of our times,” adding, “No matter what qualms these series might express about the civil liberties issues involved in mass surveillance or about the ethics of arresting or harming people before they’ve actually broken the law, they’ve already ceded ground on these issues in encouraging us to believe in a heightened risk of crime.” [The Washington Post]

US – Boston Subway to Track Riders With Beacons

The Massachusetts Bay Transportation Authority (MBTA), which operates the Boston public transportation system, announced it has started a yearlong pilot project that will track riders who download a special app via a Bluetooth beacon system run by a company called Intersection. In the news release, the MBTA said the project will track riders but will not collect personally identifying information and all data will be handled on a “secure, closed network.” The hope is to find ways to improve communication with transport users, map how riders use the various stations and explore “how brands can increase engagement and interaction with commuters based on proximity.” [BostInno]

US – Whose Job Is OPM Data Security?

In response to questions from Sen. Ron Wyden (D-OR), the National Counterintelligence and Security Center (NCSC) said infosecurity at the Office of Personnel Management is not NCSC’s job. According to the nation’s top counterintelligence agency, “Executive branch oversight of agency information security policies and practices rests with the Office of Management and Budget and the Department of Homeland Security.” Wyden was unimpressed, calling the response, “unworthy of individuals who are being trusted to defend America.” The back-and-forth lends credence to those lawmakers who believe legislation is needed to clarify cybersecurity roles in the federal government, the report states. [The HIll]

Telecom / TV

US – New Hampshire Library Restores Tor Node

A library in Lebanon, New Hampshire that suspended its operation of a Tor relay due to concerns raised by a Department of Homeland Security investigator has restored the node. The library’s IT director said that there was no pressure to take down the relay, but that they volunteered to take it down until the board met and voted on Tuesday, September 15. The Kilton Library is a pilot participant in the Library Freedom Project. The publicity generated by the story has prompted a dozen more libraries across the US to ask for information on hosting Tor nodes. [ArsTechnica] [The Register]

US – California County Announces Cell-Site Simulator Use Policy

The Sacramento County Sheriff’s Department says it will obtain “judicial authorization” before using cell-site simulator technology often referred to as a Stingray. The SCSD’s policy also automatically seals the applications for judicial authorization and calls for collected data to be purged after each use of the technology. Earlier this month, the US Department of Justice (DoJ) unveiled its policy regarding the technology, which requires law enforcement officials within its agencies to obtain a warrant prior to its use. The DoJ’s policy does not affect other federal, state, or local law enforcement agencies. [Ars Technica] [SACSheriff]

US Legislation

US – House Committee Approves Judicial Redress Act

Inching a step closer toward a major law enforcement agreement with the European Union, the U.S. House Judiciary Committee approved a bill that would give European citizens a right to sue in U.S. courts if their personal data is misused. A major component of the EU-U.S. Umbrella Agreement, the Judicial Redress Act, is a necessary law for assuaging European concerns about the use of their data by U.S. companies. Committee Chairman Bob Goodlatte (R-VA) said, “The Judicial Redress Act can go a long way toward restoring our allies’ faith in U.S. data privacy protections and helping facilitate agreements.” In a separate column for The Hill, Rep. Jim Sensenbrenner (R-WI), an author of the bill, wrote that the legislation “is essential to U.S. law enforcement.” [The Hill]

US – Tech Firms Support Judicial Redress Act

U.S. technology companies “are lining up” to support the Judicial Redress Act. The House bill “would allow non-U.S. citizens to seek records U.S. agencies have collected and pursue legal action when such records are disclosed,” the report states, noting it would apply to citizens of “select allied nations, primarily in the European Union.” Support by technology companies shows “the sector’s latest effort to rebuild trust abroad in the wake of Edward Snowden’s disclosures, which revealed many companies were turning over customers’ communications to the U.S. government,” the report states. A group of tech firms wrote that the loss of trust “translated into significant negative commercial consequences for U.S. firms, with global consumers choosing technology solutions from other providers.” [Tech Crunch]

US – Software Alliance Backs CISA, Other Reforms

An industry group that represents a number of high-profile technology companies has sent a letter to Congressional leaders expressing its support for the Cybersecurity Information Sharing Act (CISA). The Software Alliance, which represents a number of companies including Adobe, Apple, IBM, Microsoft and Symantec, stated that CISA “will promote cybersecurity and protect sensitive information by enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat.” In addition to CISA, the group urges Congress to pass ECPA reform, the LEADs Act, the Judicial Redress Act and modernize the Mutual Legal Assistance Treaty. [The Daily Dot]

The California legislature has passed a DNA collection bill that would allow DNA to be collected from all felon arrestees, but only allow it to be “uploaded to the state’s database after a judicial finding of probable cause,” reports California Newswire. It now awaits Gov. Brown’s signature.

Florida will see 27 new laws going into effect on October 1, including that deals with police using devices to track suspects.

Oregon Gov. Kate Brown signed the state’s new invasion of privacy law.

A bill introduced in Oregon’s legislature aims to protecting the privacy of students when in a legal dispute with a college.

The University of Wyoming students are working to pass a law that would change how student emails are labeled under the Public Records Act.

Delaware’s recently enacted “package of statutes governing the collection, storage and use of the personal information of Delaware residents by websites, Internet and cloud service providers and Internet and mobile applications.”

Maine has a new employee social media privacy law, which goes into effect on October 15.

In Wyoming, proposed legislation “would bar school district employees from requiring students to provide them access to social media accounts, smartphones or other personal digital information.”

Workplace Privacy

WW – Study: Employee Privacy Concerns Slow Device Rollout

A Bitglass study indicates that employees’ privacy concerns are slowing down companies’ efforts to roll out bring-your-own-device (BYOD) initiatives. “From an employee standpoint, the biggest challenges are privacy concerns over what does the IT department have visibility into and what do they have control over on my device … Am I giving up my privacy in exchange for having access to corporate email and apps on my device?” said Bitglass VP of Products and Marketing Rich Campagna. “As a result, BYOD adoption has been a lot lower than a lot of people expected over the last few years.” [ FierceMobileIT]

+++

1-15 September 2015

Biometrics

US – Class Action Launched Against Facebook Over Biometric Use

Facebook has been hit with a class-action complaint over its biometrics slurpage, with millions of possible plaintiffs who may claim damages if the advertising giant is found to have acted unlawfully. The complaint (PDF) states that “Facebook has created, collected and stored over a billion ‘face templates’ (or ‘face prints’)”, which, ostensibly, are as uniquely identifiable as fingerprints. These have been gathered “from over a billion individuals, millions of whom reside in the State of Illinois”. It is alleged that in doing this, the ZuckerBorg is in violation of the Illinois Biometric Information Privacy Act (BIPA), which was passed by the state legislature in 2008. As noted in the complaint, under BIPA a private entity such as Facebook is prohibited from obtaining or possessing an individual’s biometrics unless it achieves suitable consent, which is constituted by:

  • Informing that person in writing that biometric identifiers or information will be collected or stored
  • Informing that person in writing of the specific purpose and length of term for which such biometric identifiers or biometric information is being collected, stored and used
  • Receiving a written release from the person for the collection of his or her biometric identifiers or information
  • Publishing publicly available written retention schedules and guidelines for permanently destroying biometric identifiers and biometric information

The complaint alleges that: In direct violation of… BIPA, Facebook is actively collecting, storing, and using – without providing notice, obtaining informed written consent or publishing data retention policies – the biometrics of its users and unwitting non-users. The plaintiff asserts that he does not have, and has never had, a Facebook account, but notes that a Facebook user uploaded to Facebook at least one photograph depicting him which has resulted in the non-consensual creation of a biometric template of his face. The action is brought on behalf of a class of similarly situated individuals, defined as: The class action complaint was filed in the United States District Court, Northern District of Illinois, and is case number 1:15-cv-07681. [The Register]

US – Shutterfly Suit Progresses with Defendant Response in Illinois

New papers were filed in the case of an Illinois resident suing Shutterfly after his “faceprint” was added to its database without his knowledge. Plaintiff Robert Norberg is arguing that the move was illegal under the Illinois Biometric Privacy Law. Shutterfly moved to dismiss earlier this summer, saying the 2008 statute doesn’t regulate faceprints. However, “(b)y Defendants’ logic, nothing would stop them from amassing a tremendous, Orwellian electronic database of face scans with no permission whatsoever so long as the database were derived from photographs,” Norberg’s team wrote in court filings. “And indeed, that appears to be exactly what they are doing.” [MediaPost]

AU – Facial Recognition: Privacy Advocates Raise Concern Over ‘Creepy’ System

The Australian government has announced it is spending $18.5 million on what has been hailed as Australia’s newest national security weapon – facial recognition technology. The Capability – short for The National Facial Biometric Matching Capability – will allow law enforcement and security agencies to quickly scan through up to 100 million facial images held in databases around Australia. The images can come from drivers’ licences, passport photos or security cameras in your local shopping centre. Justice Minister Michael Keenan said The Capability had been informed by independent privacy assessments and will help combat identity fraud and theft as well as terrorism and organised crime. But privacy advocates said people should always be asked or at least notified before their faces are scanned, which under law, can happen from a distance without a person’s knowledge. [Lateline News]

WW – Porsche to Feature Emotion-Gauging Camera

Porsche’s model Mission E will come with an eye-reading, emotion-gauging camera,. The device, located in the rearview mirror, “recognizes the driver’s good mood and shows it as an emoticon,” the report states, noting the emoticon “can then be shared via social media, alongside the car’s route and speed.” Some analysts find the emoticon and camera strange, the report states. “We’re not just making cars anymore. We’re making personal expressions,” said Kelley Blue Book’s Karl Brauer, adding, “If you’re the kind of person to spend more than $100,000 on a sports car, you might just be the kind of person wanting to share pictures of yourself, too.” [The Washington Post] [Porsche’s Tesla killer: A superfast electric sports car that can read your emotions]

Big Data

US – Project Won’t Go Live Without Privacy Policy

A National Science Foundation grant has catapulted the University of Chicago-Argonne National Laboratory “Array of Things” data-collection project into the construction phase, but project leadership promise the security-minded that a privacy policy will be the final step before it’s all systems go. “We are trying to create something where the people are watching the city; it’s the polar opposite of the city watching the people,” said the project’s head scientist, Charlie Catlett. “This is fiercely protective of privacy.” While the privacy policy has been in the works for over a year, “city officials said it’s still in the draft stage, and Catlett said the sensors will not go up until the policy is finalized.” [Chicago Tribune]

Canada

CA – Body Cams Shouldn’t Capture ‘Informal’ Interactions, Police Chief Says

If Toronto police officers began switching on their body-worn cameras during informal interactions with the public, it would “completely disrupt” the force’s nearly year-long trial of the popular policing technology, turning it into “something very different and problematic,” according to Toronto police chief Mark Saunders. Currently, rather than running at all times, the cameras are only activated by the officers under certain circumstances, including when making an arrest, answering to calls for service, responding to a crime in progress and more. [Toronto Star]

CA – Feedback Sought On Proposed All-In-One ID Card for Manitobans

Manitobans are invited to share their views on a proposed all-in-one Personal Identification Card (PIC) that would combine a person’s driver’s licence, photo ID, health and travel card. The PIC, a joint proposal by Manitoba Health, Healthy Living and Seniors, and Manitoba Public Insurance, could eventually eliminate the paper Manitoba Health card by placing an individual’s personal health ID number on the back of the security enhanced, tamper-free PIC. While there are many potential benefits “we also recognize that this proposal may affect different Manitobans in different ways,” said Health Minister Sharon Blady. “So we need to hear from those who access and provide health services in our province before we choose a path forward.” In addition to seeking input from individuals, consultation will take place with numerous groups, including First Nations and Metis organizations and communities, Manitobans with disabilities, health care providers and the Manitoba Ombudsman. “The ultimate goal of the PIC is to better protect Manitobans against identity theft, forgery and fraud while ensuring that private information stays confidential,” said Manitoba Public Insurance President and CEO Dan Guimond. [CBC News] [Copy of Discussion Paper]

CA – Census Debate Revived in Federal Election

Researchers, public policy advocates, statisticians, business groups, economists — and the Liberal and NDP parties — continue to call for the mandatory long-form questionnaire to be brought back, arguing that important statistical data is getting lost. In a package of recently proposed reforms on transparency, the Liberals are promising to immediately restore the mandatory long form if they form government in the Oct. 19 federal election. And Jean Ong, a spokesperson for the NDP, said in a statement that the party has long advocated for the restoration of the long-form census and continues to do so. The lost data has massive implications for public policy decisions, business planning and a host of other areas, proponents of the mandatory long survey say.  [Toronto Star] [CA – Why Internet privacy should be a key election issue: Geist] [Why privacy matters in this Canadian election] [Prank calls, #peegate — and a party’s weird approach to privacy]

CA – Ontario Court Opens Door to Adding Privacy Claims to Defamation Lawsuits

A recent Ontario Superior Court of Justice ruling appears to open the way to adding invasion of privacy claims to defamation lawsuits against journalists, says a defamation lawyer. On Aug. 31, Justice Graeme Mew released the reasons for his July 17 decision on a motion in Chandra v. CBC. The motion, brought by the CBC, sought to have the court decide that it shouldn’t put an invasion of privacy claim to the jury that the plaintiff had added to his original defamation case. “Can a plaintiff who has sued a broadcaster for defamation in connection with a television program also maintain a claim for general damages for invasion of privacy?” Mew asked at the beginning of his reasons for his decision. His answer: Yes, but in this case at least, with some limitations. [Law Times]

CA – $55K to Surveil Garbage-Dumpers in Winnipeg

A plan to film people illegally dumping garbage will be considered by the City of Winnipeg. Coun. Ross Eadie (Mynarski) and Coun. Devi Sharma (Old Kildonan) raised the issue in a June city council meeting, and now a report is recommending the city spend $55,000 on six surveillance cameras to catch people dumping garbage in private lots. It is a rampant problem that should be met with stiff fines, Eadie said, suggesting penalties up to $2,500 for an individual and $6,000 for a business. Eadie said the city’s innovation committee would have to approve a budget increase to purchase the cameras. “The money that comes in will more than likely offset the cost of the video camera,” he said. Eadie said he believes city council will vote on it some time in December. [The Winnipeg Sun]

CA – Planned Passport Renewal Change Opens Door to Fraud, Forgery

The federal government is bringing in major changes to the way Canadian passports are issued, changes that could speed up the renewal process but also invite forgery, fraud and identity theft at a time of heightened global security. An internal notice from Citizenship and Immigration Canada reveals the changes coming this fall would allow online applications and no longer require the return of the old passport — even if it remains valid for six more months. Instead, applicants will be told to “cut the corners” of the document through an honour system. The change is to take effect on Nov. 1, 2015, for online applications and Dec. 14, 2015, for paper-based applications that are mailed or handed in to a passport office, according to the document. [CBC News]

CA – IPC Simplifying PHIPA Processes

In order to simplify and clarify how we handle different types of complaints under the Personal Health Information Protection Act (PHIPA), we are updating our existing processes. In coming months, we will test the new procedures to ensure we continue to resolve PHIPA matters in a fair, just and timely way.  Although we resolve many files at an early stage, we can also conduct a review under PHIPA, which gives us greater powers to investigate and issue orders. In our updated processes, we will: provide similar processes for all types of complaints,  distinguish between complainant-initiated files and breaches reported by custodians or files we initiated, and  clarify roles and responsibilities of Intake, Investigation/Mediation and Adjudication — the three stages of our tribunal processes. [Source]

CA – IPC: What Students Need to Know: High School Teachers’ Guides

Understanding why access to government-held information and the protection of privacy are important public values will prepare students to become active participants in our democratic society. To assist teachers in meeting the Ministry of Education’s curriculum expectations, The IPC created two resource guides that are tailored for grade 10 and grade 11/12 classes. The guides were developed in consultation with teachers and offer step-by-step activities, handouts, quizzes and evaluation criteria on subjects such as open government, online privacy and identify theft.  For summaries of the guides, see the Grade 10  and Grade 11/12 fact sheets. [Source] [Access and Privacy in the Classroom: Resources for Parents, Teachers and School Administrators] See also: [Why social media can be a minefield for teachers: Tightening up privacy settings might not be enough to protect teacher’s reputations, experts say

CA – New Lesson Plan Teaches Grade 7 And 8 Students About Online Privacy

Alberta’s privacy commissioner helped design a new course aimed at teaching Grade 7 and 8 students how to be safer online. The “Kids’ Privacy Sweep Lesson Plan” shows children how they can unknowingly share private details when they use websites and apps. The lesson defines what cookies, IP addresses and geo-locations are. It also shows students how companies collect and share data with third parties. Students are asked to look at popular apps and websites to see what personal information users are asked to provide. The lesson was developed after the Global Privacy Enforcement Network [GPEN] conducted a privacy sweep of 1,494 websites and smartphone and tablet apps targeted at children. The investigation found that 67% collected children’s personal information and 50%  shared that information with other organizations. The lesson is now available for teachers to use in schools across Canada. [CBC News] [Data Privacy Is an Uphill Battle] [WW – Digital privacy concerns ‘the new normal’ as users pay with personal information] [WW – 7 worst apps that violate your privacy] [CSO Online: Attackers go on malware-free diet] [UK: Man who changed ex-girlfriend’s Facebook profile picture to sexually explicit image jailed for over four years] [‘Sexting panic’: Why the law struggles to keep up with reality]

CA – NB Info Commissioner Pushes Back on Proposed RTI Reforms

New Brunswick’s information commissioner is pushing back against two government proposals for overhauling the right-to-information system. A report recommends looking at reinstating fees for people who use the Right to Information and Protection of Privacy Act to request government documents and records. It also suggests giving bureaucrats the power to decide for themselves whether they can ignore a request they consider “frivolous or vexatious” under the act. That recommendation is now subject to review by Information Commissioner Anne Bertrand, who says she’s leery of the provincial government giving itself the power to make that determination. [CBC News]

CA – Chicken Farm Hired to Shred Confidential Records, Report Says

A chicken farm should not be used to dispose of sensitive health documents, Saskatchewan’s privacy and information commissioner says. The matter came up in a report recently issued by commissioner Ron Kruzeniski concerning the Spruce Manor Special Care Home in Dalmeny, about 23 kilometres north of Saskatoon. The privacy office had been investigating the home earlier in the year after some of the residents’ health cards ended up in a recycling bin. In the course of that investigation, it found that in May, the home had signed a deal with an undisclosed chicken farm to destroy its confidential records. In the agreement, the farm said it would “agree to accept full responsibility to maintain the security and confidentiality of all documents” received from Spruce Manor Special Care Home. That’s “unacceptable,” Kruzeniski said in his report, noting that the agreement does not specify how the chicken farm is to “maintain the security and confidentiality” of the personal health information it has received. “I recommend that Spruce Manor Special Care Home no longer use [a] chicken farm to destroy records in spite of the former administrator asserting he had no problems/concerns with the use of the chicken farm,” Kruzeniski said in the report. [CBC News]

Consumer

WW – Smart-Car Drivers Not So Worried About Privacy: Report

While rhetoric has focused increasingly on drivers’ privacy concerns as connected cars become a reality, a recent survey indicates drivers may not be as worried as has been believed. The survey was conducted by McKinsey & Co. and found more than half of respondents said they had “no problem” allowing their car to collect data and “send it anonymously to the auto maker” in the name of improvements to the vehicle. “The number jumped to 76% if auto makers guaranteed the data will only be used to improve vehicles and not shared with anyone else,” the report states, noting 70% said they’re already sharing their data with smartphone apps. [The Wall Street Journal] [U.S. Automakers Take The Wheel On Cybersecurity – But Can Canadian Manufacturers Hitch A Ride?]

E-Government

US – Tech Companies Push Back Against U.S. Gov’t Data Access

A host of tech companies—including Apple, Google and Microsoft—have been tangling with the U.S. government about law enforcement’s access to user data. Most notably, this week, the Second U.S. Circuit Court of Appeals in Manhattan is set to hear a long-standing case between the U.S. Department of Justice and Microsoft over emails the agency wants access to but that are stored in Ireland. Companies including Amazon, Verizon and Cisco have all submitted amicus briefs on behalf of Microsoft in the case. A ruling against Microsoft would likely garner more distrust of U.S. companies by foreign users, the report states. In a column for Fusion, Prof. Ryan Calo writes that tech companies may be the best defense and brightest hope against too much government surveillance. [The New York Times] [What does the Microsoft privacy battle mean for the future of internet security? ] [CNET: Apple, Microsoft Tussle With Feds Over Access to User Data] [If you care about privacy, you should be using and supporting Apple]

US – US Voting Machine Woes

The majority of US states use electronic voting systems that are at least 10 years old, according to a report from the Brennan Center for Justice at the New York University School of Law. Not only are the systems out of step with the latest technological advances, but there are also reports of equipment degradation and unreliability. Many of the machines are running versions of Windows XP, and some machine manufacturers are no longer in business. [Wired]

E-Mail

US – DoJ, Microsoft Present Arguments in eMail Warrant Case

Representatives from the Department of Justice (DoJ) and Microsoft each made their arguments before the Second Circuit Court of Appeals in a case that could determine what rights governments have in accessing information contained in the cloud. Microsoft’s counsel told the court that compelling it to hand over data stored on servers in Ireland “is an execution of law enforcement seizure on their land … We would go crazy if China did this to us.” The DoJ argues that the emails should be considered business records, meaning a search warrant would suffice. However, Microsoft argues they are customers’ personal documents. The three-judge panel could hand down a decision as early as October or as late as February, the report states. [The Guardian] [Silicon Republic] [Washington Post] [The Hill] [WW – Microsoft Slips User-Tracking Tools into Windows 7, 8 Amidst Windows 10 Privacy Storm]

Encryption

US – Could Apple Face Fines for Lack of Backdoor Access?

A Department of Justice (DoJ) court order demanding Apple provide authorities with real-time access to a suspect’s iMessages sent between iPhones. The company allegedly told the DoJ that the data is encrypted, preventing law enforcement from gaining access. Johns Hopkins Prof. Matthew Green asked, “Could a court force (Apple) to modify their technology in order to make eavesdropping possible?” One way the government could compel a company to provide court-ordered data is to levy fines, the report states, something Yahoo faced years ago. Sen. Chuck Grassley (R-IA) has asked the DoJ to brief him on the Apple iMessage case. [ZDNet]

US – White House Says Legislative Fix on Backdoors Not Needed

The White House has indicated it will not seek legislation to mandate backdoors to encrypted communication services. The Obama administration is also considering “whether to publicly reject a law requiring firms to be able to unlock their customers’ smartphones and apps under court order,” the report states. A White House official said, “The encryption issue … both in this country and abroad is going to have a major impact on how law enforcement and intelligence do their jobs.” Meanwhile, government officials—including from the FBI and Department of Justice—and cryptographers debated the role of encryption in electronic communications Tuesday. [The Washington Post]

US – New Hampshire Library Suspends Tor Relay

The Kilton Public Library in Lebanon, New Hampshire library was selected as a pilot location for a Tor relay program organized by the Library Freedom project and The Tor Project. Shortly after the library announced its participation in the program, the US Department of Homeland Security (DHS) contacted the town’s police department. When the police voiced concerns about Tor to the library board, they suspended the library’s participation in the program. The board will vote on September 15 whether or not to restart participation. [Ars Technica] [EFF]

US – Apple to DoJ: We Can’t Give You Real-time Access to iMessage

Over the summer, the US Justice Department served a court order on Apple, demanding that the company provide DOJ with real-time text messages sent between suspects in a case involving guns and drugs. Apple replied that it was unable to comply because the iMessage system encrypts communications on individual devices and Apple does not have the key. Apple only has copies of messages if users save them to iCloud. [Schneier] [The Guardian] [ZDNet] [NYTimes]

EU Developments

EU – “Umbrella Agreement” Finalized; AG to Issue PRISM Decision Soon

The EU and U.S. have reached an agreement that would protect personal data used for law enforcement purposes. However, though the text has been finalized, the European Commission has said it will not be signed until the U.S. passes legislation giving EU citizens the right to judicial redress in the U.S. Meanwhile, Europe’s Advocate General is expected to issue a long-awaited legal opinion on Facebook’s sharing of personal information with the National Security Agency under the agency’s PRISM program. The opinion, which is non-binding but influences the 15 judges on the European Court of Justice, will likely affect the EU-U.S. Safe Harbor Agreement. The opinion’s expected delivery date is now September 23. [Reuters]

EU – Drones: A Growing Danger to Data and Privacy Protection

The Article 29 Data Protection Working Party (WP29) published its opinion concerning data and privacy protection issues relating to the use of unmanned aircraft systems (UAS) in Civil Aviation which is addressed both at national (CAAs) and European legislators. The WP29 gives indications and recommendations to policy makers and sector regulators, manufacturers and/or operators. In the WP29’s opinion, the introduction of no-fly zones could be envisaged, and maps could be printed out to inform the users about the designated areas. This might represent a solution to ensure the protection of private areas (such as gardens, courtyards, terraces). Manufacturers could involve a Data Production Officer in the design and make drones as visible as possible. The WP29 also recommends the adoption of Codes of Conduct, containing sanctions in case signatories violate the norms, which might help operators prevent infringements. The WP29 emphasises the importance of transparency and proportionality principles. Data subjects must be aware of the collection and the processing of their personal data (Article 6 of the Directive) and also informed (Article 11) publically by means of social media, leaflets, websites etc. In conclusion, the Working Party calls on European and national policy makers, as well as Civil Aviation Authorities (CAAs) and Data Protection Authorities (DAPs) to cooperate and to promulgate a comprehensive legislation. The main scope is to make data processing legitimate in compliance with Article 7 of the Data Protection Directive. [Mondaq News] [States are pushing to pass their own regulations on drones in the absence of federal laws] [Unwanted visitor: Peeping drone raises privacy concerns for Island family]

EU – EDPS Planning International Tech Board of Ethics

The European Data Protection Supervisor (EDPS) issued a surprise opinion last week on the tech industry and is planning the implementation of an international board on tech ethics,. EDPS Giovanni Buttarelli said the ethics board will advise on “the relationships between human rights, technology, markets and business models in the 21st century” and will not be strictly EU-based. He said U.S. advisors could also be on the board. Buttarelli’s opinion looked at emerging tech trends that “raise the most important ethical and practical questions for the application of data protection principles.” He is expected to meet with officials from the U.S. FTC and the White House this week. [EurActiv]

UK – ICO Offers Opinion on GDPR Texts

In a whitepaper, the UK Information Commissioner’s Office (ICO) offers its thoughts on the current negotiations over competing texts for the General Data Protection Regulation (GDPR), currently in the trilogue process. “We thought it would be useful,” the paper reads, “to set out our observations on the parts of the Council text that we consider to be most in need of improvement.” The highlights include a warning against the proliferation of “different data protection regimes” stemming from a weakening of the one-stop shop mechanism; the need for a single definition of “personal data”; the “confusing” nature of the allowance for further data processing; the need for a definition of “child”; a preference for “right to erasure” over “right to be forgotten,” and a concern that data breach notifications will overwhelm the ICO unless notification is limited to “high-risk” breaches. [Source]

UK – GDS Creates Privacy Officer Role

In its efforts to ensure GOV.UK Verify meets privacy requirements and gives its users what they expect, Government Digital Service (GDS) has created a new privacy officer’s position. Toby Stevens, GOV.UK Verify’s independent privacy adviser, is “taking on the privacy officer duties on an interim basis” while GDS fills the role, the report states. “The privacy officer will provide a focal point for decisions that may affect the use of personal data, and manage the dialogue between developers at GDS, GOV.UK Verify users, certified companies and departments offering services through GOV.UK Verify,” Stevens said, noting the privacy officer will also work with organizations such as the Information Commissioner’s Office. [Computing]

UK – ICO Probes Charity Data Use; Says Strong Interest in Privacy Seals

The Information Commissioner’s Office (ICO) is investigating the data-sharing practices of the charity sector after reports that some organizations may be profiting from donor contact data. Information Commissioner Christopher Graham described the allegations as “clearly concerning” and said the ICO is currently trying to “work out exactly what has happened.” Some of the charities named in the investigation have defended their practices. Separately, the ICO has said there are “strong levels of interest” from businesses in its privacy seals project, which it expects to be “up and running” in advance of when the EU General Data Protection Regulation comes into force. [Full Story] See also: [UK: Information watchdog investigates ‘charity data sales’ ] and [UK Charities face scrutiny over trading of elderly man’s data]

NL – Intelligence-Gathering Bill Raises Concerns

A draft government bill aimed at reforming intelligence-gathering that is prompting privacy concerns. The Netherlands Institute for Human Rights is concerned that the bill “will grant security agencies far-reaching surveillance powers with insufficient protection of privacy,” the report states. The government, however, believes the bill brings “badly needed modernization of intelligence-gathering methods and improve(s) internal security, without violating privacy,” the report states. Government spokesman Tijs Manten said, “We think that the balance between safety and privacy in the draft is just,” while the institute points to the draft legislation allowing the government “to authorize tapping of private Internet and telephone data” as reason for concern. [Reuters] [Dutch intelligence-gathering reform bill sparks privacy concerns]

UK – Cox Wins Privacy Case Against Newspaper

Radio 1 DJ Sara Cox has won a landmark privacy case against a national newspaper after it published naked photographs of her on honeymoon. The DJ sued the People newspaper after it published the pictures of her and her husband Jon Carter while holidaying in the Seychelles in 2001. The case, settled in the High Court, came despite the People providing an official apology at the time – following a complaint to the Press Complaints Commission. The newspaper was sued under article 8 of the Human Rights Act, which works to protect an individual’s right to a private life. [Daily Mail]

EU – Other EU News

Facts & Stats

WW – The Difference Between a Safe Internet and One That’s Not? $120 Trillion

The projected economic difference between a future “where cybersecurity is considered a human right” versus one where the online world is “plagued by cybercrime” with security as “a luxury good”—it’s about $120 trillion. That’s according to research from Atlantic Council and Zurich Insurance, which worked with the University of Denver’s Pardee Center for International Futures “to determine if the global benefits the Internet brings … would outpace—or be overshadowed by—digital threats.” Their report suggests, “Tens and even hundreds of trillions of dollars are at stake … not to mention the social and cultural impact … with perhaps a small window of a few years to pull back and reorient towards a more secure and more resilient Internet.” [CSM Passcode]

WW – 2015 Breach Index: 246 Million Individuals Affected So Far

Digital security firm Gemalto has released its Breach Level Indexfor the first half of 2015. It reports 888 breaches thus far, affecting the records of 246 million individuals around the world, a 10-percent increase in the number of breaches vs. the first half of 2014. Meanwhile, in the U.S., the personal information of nearly 80,000 students across eight Cal State campuses was breached. The students were all enrolled in an online sexual violence prevention course. Compromised data includes passwords, user names, email addresses, gender, race, relationship status and sexual identity. Cal State officials are currently investigating the incident. [Los Angeles Times]

WW – Study: Data-for-Goods Swap Not Beneficial

Aimia, a marketing and “loyalty analytics” firm, recently conducted its second annual survey to determine how consumers feel about how businesses use their data. The study found that “less than one in 10” of Canadians believed that the data they shared with organizations got them some sort of beneficial dividend. “I’m surprised marketers aren’t delivering on their part of the bargain,” said Aimia CMO John Boynton. “Why would people give you their data?” he asked. “There’s an expectation. If all you’re doing is collecting data, and your marketing programs are the same, you’re in trouble. And you may not get a second chance.” [The Globe and Mail]

US – Industry Group Trying To Solve the Ad Blocking Problem

A recent study estimated publishers will lose $21.8 billion in revenue this year due to the 198 million people around the world who use ad blockers. The Interactive Advertising Bureau (IAB) is looking for ways to get ahead of this issue, hosting a leadership summit this past July to “get the options on the table,” according to Scott Cunningham, a senior VP at the IAB and general manager of its Technology Lab. Options included getting the top 100 websites to stop showing content to users with ad blockers on the same day and suing the ad-blocking companies. IAB working groups continue to look into other options and CEOs from anti-ad blocking companies attended a meeting in August. [Advertising Age]

WW – Study: Finance, HR Pose Biggest Data-Loss Risks

A new study conducted by data-loss prevention vendor Clearswift finds surveyed data-security specialists are most concerned about threats stemming from the finance and HR departments. Further, nearly 90 percent of the 500 global professionals surveyed said they had experienced a “security incident” in the past year, and 73% of those came from “people they knew, such as employees, past employees or customers/suppliers.” Finally, 79% replied that men were more of a threat to cause a data-security incident than women. [SC Magazine]

Finance

US – Dodd-Frank Means Traders Are on Record

Phone conversations are no longer the “haven” they once were for traders looking to say whatever they pleased, as the U.S. government and even individual banks listen to and store audio files per 2010’s Dodd-Frank legislation. “We have seen a 100-percent increase in the volume of audio data recorded and analyzed by banks,” said Clutch Group President Brandon Daniels. Banks are employing sophisticated software for tracking purposes, and the move has brought casualties, with Deutsche Bank AG terminating two of its traders after communication reviews. While banks “make sure that their people are being policed the right way … a lot of the guys are probably thinking twice about whether they’re in the right profession,” said Options Group CEO Michael Karp. [The Wall Street Journal] [Bank privacy notices are a joke: Here’s why] [Carnegie Mellon University did a study that suggested some banks don’t even follow the very liberal regulations set out in their privacy notices]

FOI

EU – Journalists: Initiatives Weaken Press Freedom

The German Union of Journalists has criticized Parliament’s data retention initiatives, arguing they “impair the freedom of the press and broadcasting, as they weaken protection for those who provide information, as well as editorial confidentiality.” Media outlets like the German Press Council also “consider that the planned regulations are not compatible with the jurisprudence of the European Court of Justice,” the report continues. Parliament will discuss data retention later this month, but “the current planning does not envisage that representatives of the media will be heard,” the report states. [Telecompaper] See also: [Opinion: We should nurture the principle of open courts]

Health / Medical

US – Health Care App Uses Apple Watch to ID Doctors, Follow Privacy Law

Health care app maker AirStrip has found a clever way to comply with strict federal privacy laws: using Apple Watch’s abilities to confirm a doctor’s identity. AirStrip’s co-founder Cameron Powell demonstrated the app’s power at an Apple event in San Francisco. The app shows patients’ information, including their diagnoses and lab results, on the watch screen and allows doctors to send them secure messages. The app also lets doctors communicate with other health care providers about patients. The Airstrip app taps into the Apple Watch’s ability to sense who is wearing the device. That allows the AirStrip app to comply with HIPAA, a federal law that strictly protects a patient’s private health information. Any electronic health record system has to comply with this law, and the Apple Watch is no exception. [CNET]

US – Texas: Med Board Lets DEA Sneak Peeks at Patient Records

The Drug Enforcement Administration has been sifting through hundreds of supposedly private medical files, looking for Texas doctors and patients to prosecute without the use of warrants. Instead, the agents are tricking doctors and nurses into thinking they’re with the Texas Medical Board. When that doesn’t work, they’re sending doctors subpoenas demanding medical records without court approval. The DEA can’t even count how many times it has resorted to the practice nationwide. A spokesman estimated it was in the thousands. But, as a legal brief filed last week points out, lawyers for the federal government can’t find a single case in which a court has “authorized the use of such a broad array of patient information with such a sparse record as to why it needs such information.” Earlier this year, a federal judge in Texas did just that, setting up a showdown in the 5th Circuit Court of Appeals over whether the DEA needs a reason to go rummaging through private medical records in search of pill mills and prescription drug abusers. Without the legalese, the issue is simple: How good a reason does the DEA need to get access to medical records? The DEA doesn’t think it needs much of one. [Watchdog.org]

Horror Stories

US – Target-Affected Banks Granted Class-Action Status

A federal judge has granted class-action status to lawsuits by financial institutions that were victims of Target’s 2013 breach,. “The decision may force Target to pay more than it previously estimated to banks that want the retailer to pay their costs for when consumers sought new credit cards after the breach,” the report states. Meanwhile, Charlotte-Mecklenburg Schools’ trouble has just begun, with the district having to notify 7,600 job applicants that their Social Security numbers were shared sans authorization. And, Engadget reports that Vladimir Drinkman has pleaded guilty to the theft of more than 160 million credit card numbers since 2003, in what the Department of Justice called the “largest such scheme ever prosecuted in the United States.” [The Star Tribune]

US – Excellus Bluecross BlueShield Breach Affects 10.5 Million

A New York state-based healthcare insurance company Excellus Bluecross BlueShield and its affiliate, Lifetime Healthcare, have experienced a data breach. Excellus learned last month that intruders had initially accessed the system in December 2013. As many as 10.5 million people may be affected by the breach. [The Hill] [SCMagazine] [NBCNews]

WW – More Bad News for Ashley Madison Users

Programming errors and shortcuts have resulted in improper encryption of the passwords of at least 15 million hacked Ashley Madison (AM) accounts. A group of hobbyists claim to have cracked the passwords in a matter of 10 days. Gabor Szathmari, an information-security consultant, writes in a blog post that the “source code contains AWS tokens, database credentials, certificate private keys and other secret credentials,” resulting in “a much more vulnerable infrastructure.” Another security consultant notes that users who have used an AM password for another account “need to change it immediately.” [ComputerWeekly] [Big hacks, big data add up to blackmailer’s dream]

WW – Following Ashley Madison, Gov’t Investigates Employees Implicated

Robin Levinson King questions whether things will ever be the same following the Ashley Madison breach. “Beyond the sex and the secrecy is a story about what privacy means in the digital age and what responsibility both companies and Internet users have towards protecting others’ privacy,” King writes. Meanwhile, the BC government is investigating the government emails uncovered in the breach. According to the Ministry of Technology, Innovation and Citizen Services, there were 14 email addresses implicated. Five of them are inactive accounts. “Our primary concern is security at this time,” the ministry said. [The Toronto Star]

WW – On Making Stolen Ashley Madison Data Legally Toxic

Several class-action lawsuits have arisen in the wake of the hack of Ashley Madison and efforts to make personal data stolen from the infidelity website legally toxic. Specifically, a new lawsuit aims to hold websites and hosting services liable for aiding and abetting the hackers by making the sensitive data searchable online. The complaint states that while these “entities may labor under the belief that their actions are entrepreneurial rather than criminal … the fact remains that they are in willful possession of stolen property.” Meanwhile, a U.S. pastor whose name was allegedly among those leaked has committed suicide; police in Canada have said at least two other individuals have killed themselves after the release of their information as well. [Fusion] [Ashley Madison Says It’s Still Gaining Users Amidst Privacy Woes] [We’re not talking about data security, and that’s a problem]

US – 10M-Plus Records Affected in Insurer, Bank Breaches

A breach of Excellus BlueCross BlueShield’s systems has affected more than 10 million records. The data loss was discovered when the organization conducted an external forensic assessment after other healthcare organizations, such as Anthem and Prema, reported breaches of their own. According to investigators, the breach started as early as 2013. “We are taking additional actions to strengthen and enhance the security of our IT systems moving forward,” Excellus said in a statement. Meanwhile, “thousands” of clients’ data was stolen from UK-based Lloyds Premiere Banking. [ComputerWeekly]

WW – Leaked Data Fuels Bank Scams, Gov’t Data Mining

The leaked data stolen from infidelity site Ashley Madisoncontinues to pose problems for individuals in new and malicious ways, according to two separate reports. Fraudsters are currently trying to take advantage of the leaked data, and data stolen from Carphone Warehouse, to trick people into disclosing their bank details. Meanwhile, according to The Telegraph, UK intelligence agencies are mining Ashley Madison data to see if their own staff could be targeted for blackmail while also using it to find potential intelligence targets. [The Independent][US: Data Privacy: Wyndham Hotel’s Wake Up Call Should Be Your Own]

US – DHHS Settles with Cancer Care Group for $750,000

In a settlement with the Department of Health and Human Services (DHHS) over potential HIPAA violations, Cancer Care Group has agreed to pay $750,000 and adopt a “robust corrective action plan to correct deficiencies in its HIPAA compliance program,” according to a DHHS press release. The settlement follows a breach three years ago after an unencrypted server backup and laptop were stolen from the car of an employee of the oncology practice. Meanwhile, the Association of American Physicians and Surgeonshas filed an amicus brief with the U.S. Supreme Court, urging the court to dismiss the state of Vermont’s appeal of the Second Circuit’s decision to block “enforcement of Vermont’s database requirement against Liberty Mutual Insurance Company” due to privacy concerns. [DHHS] See also: [CA – Rouge Valley Hospital Clerk Pleads Guilty to Stealing, Selling Patient Records] [CA – Ajax woman disturbed over alleged suggestive texts from Sleep Country staffer] [UK London HIV clinic accidentally reveals hundreds of patients’ identities]

Identity Issues

EU – DPA Issues Anonymisation Guide

Norway’s Data Protection Authority (DPA), Datatilsynet, has issued a guide on anonymising personal information. The DPA’s guide “provides practical guidance for data controllers on the considerations to be made prior to anonymising data and highlights Datatilsynet’s opinion on the effectiveness of different anonymisation methods,” the report states. DLA Piper’s Cecilie Ronnevik notes the guide is needed because “Datatilsynet has, over the years, found that there are severe misunderstandings regarding the definition of identifiable personal data.” Along with anonymisation, the guide also considers the topic of pseudonymisation, the report notes. [Privacy This Week]

US – Judge Upholds Arizona’s ‘Show Your Papers’ Immigration Law

A federal judge has upheld part of Arizona’s contentious immigration law, rejecting claims that the so-called “show your papers” section of the law discriminated against Hispanics. The ruling by U.S. District Judge Susan Bolton was on the last of seven challenges to the 2010 law. The section being upheld allows police in Arizona to check the immigration status of anyone they stop. Bolton ruled that immigration rights activists failed to show that police would enforce the law differently for Hispanics than other people. The section is sometimes called the “show your papers” provision. The judge also upheld a section that let police check to see if a detainee is in the United States illegally. Bolton voided any laws targeting day laborers. Bolton’s ruling came two days after a federal judge approved a deal between the U.S. Department of Justice and Arizona’s Maricopa County to resolve accusations of civil rights abuses and dismissed the department’s lawsuit against Sheriff Joe Arpaio and his deputies. [Reuters]

US – Gov’t Awards $133M Contract for OPM Hack Data Protection Services

The Department of Defense (DoD), Office of Personnel Management (OPM) and General Services Administration have awarded a $133.3-million contract to Identity Theft Guard Solutions to provide personal data protection services to the 21.5 million victims of the second OPM hack. The contract is part of a larger $500-million Blanket Purchase Agreement for responding to the devastating data breach and potential future breaches stemming from the hack. Unlike the response to the first hack, the DoD—and not the contractor—will notify victims, and the Pentagon will cover the contract cost. Acting OPM Director Beth Cobert said notifications would not go out until the “end of the month.” [GovExec]

Internet / WWW

RU – Data Localization Enforcement Postponed Until January

Russia has postponed the enforcement of a new national law requiring technology companies that handle the personal data of Russian citizens to install data centers within the country’s national borders. The law officially goes into effect today, but Russian regulators have told companies such as Facebook, Google and Twitter they will not check for compliance until January. A spokesman for Russian communications regulator Roskomnadzor said, “We understand that in transnational companies where offices are spread globally, it takes a while to make a decision.” The spokesman also pointed out that Roskomnadzor does not yet have the resources to check that every company is in compliance. [The Wall Street Journal]

Law Enforcement

CA – Ontario Says it Cannot Get Data on Effectiveness of Carding for Review

The provincial government cannot compel Ontario’s police forces to hand over their data on street checks — including information as to how many times the controversial practice has helped solve crimes, according to Minister of Community Safety and Correctional Services Yasir Naqvi. That means that as the province continues its review of street checks, commonly known as “carding,” it will do so without knowing how often the practice has actually proved useful to investigations, by leading to an arrest, to the discovery of a weapon or drugs, or more. Naqvi said his ministry has been consulting with Ontario’s Information and Privacy Commissioner about how to gain access to this policing data in aggregate form, stripped of any personal information. [Metro News]

US – Judge Lifts 11-Year-Old Gag Order

The Intercept reports U.S. District Court Judge Victor Marrero has “fully lifted an 11-year-old gag order that the FBI imposed on Nicholas Merrill … to prevent him from speaking about a National Security Letter served on him in 2004.” Merrill was the founder of a small Internet service provider and, upon being served the order, was told he couldn’t speak of it to anyone. The lifting of the order is the first time such an order has been fully lifted since the USA PATRIOT Act of 2001 permitted the FBI to issue letters demanding information for national security purposes. Merrill and the ACLU have been fighting to lift the order since 2004. [Full Story]

US – Undercover FBI Agents Spy On Burning Man Festival to Prevent ‘Terrorism’ and Test Out New ‘Intelligence Collection’ Technology

The FBI has admitted to gathering secret intelligence about the annual Burning Man festival since 2010. In response to a request under the 2012 Freedom of Information Act, the security service said its Special Events Management unit has kept files on festival-goers, known as ‘burners’ – to ‘aid in the prevention of terrorist activities and intelligence collection’. But the FBI’s 16-page response to the question by Inkoo Kang is heavily redacted, with information about the technology being used to secretly gather the information being blanked out. The revelation comes as the 29th Burning Man takes place in the Black Rock Desert in Nevada. [Mail Online]

Offshore

JP – Amendments Call for Information Protection Commission

The Diet passed an amendment to the Act on the Protection of Personal Information that permits the creation of a Personal Information Protection Commission (PIPC), effective in January. The PIPC “will be established as an independent authority,” the report states, in an effort “to bolster Japan’s expected request for a determination of adequacy by the European Commission.” Updates to the law were also found in Article 24, which “imposes restrictions on the transfer of personal information of Japanese citizens to third parties in foreign countries,” the report continues, adding that “draft rules for implementing Article 24 specifically call out a company’s APEC Cross Border Privacy Rules certification as satisfying this requirement.” [TRUSTe Blog]

AU – Australian Data Retention Laws End Online Privacy

The digital privacy of Australians ends on October 13. On that day this country’s entire communications industry will be turned into a surveillance and monitoring arm of at least 21 agencies of executive government. The electronically logged data of mobile, landline voice (including missed and failed) calls and text messages, all emails, download volumes and location information will be mandatorily retained by Australian telcos and ISPs. Intelligence and law enforcement agencies will have immediate, warrantless and accumulating access to all telephone and internet metadata required by law, with a $2 million penalty for telcos and ISPs that don’t comply. There is no sunset clause in the Abbott government’s legislation, which was waved through parliament by Bill Shorten’s Labor with only minor tweaks. The service providers are to keep a secret register of the agency seeking access to metadata and the identity of the persons being targeted. There is nothing in the Act to prevent investigative “fishing expeditions” or systemic abuse of power except for retrospective oversight by the Commonwealth Ombudsman. That’s if you somehow found out about an agency looking into your metadata – which is unlikely, as there’s a two-year jail sentence for anyone caught revealing information about instances of metadata access. [TNT Report]

Online Privacy

US – FTC, Nomi Deal: If You Say Consumers Can Opt Out, Don’t Track Them

A deal was finalized late last week between the FTC and Nomi Technologies, a retail tracking company. When companies advise consumers they can choose not to be tracked, they “must keep that promise,” the report states, suggesting that is the takeaway from the FTC’s decision regarding Nomi. The FTC said it “encourages companies to provide truthful privacy choices to consumers and believes such choices are consistent with growth and innovation. However, the Commission also must take action in appropriate cases to stop companies from providing false choices.” In its deal with Nomi, the FTC has required the company “promise that it won’t in the future misrepresent its privacy policy,” the report states. [MediaPosty] See also: [Privacy Protectors: Crucial Contributions by Librarians] and [US – Clever Startup Now Protects Student Data in One-Third of Schools]

WW – Facebook to Introduce Ad-Tweaking Feature

Following discussions with Ireland’s Office of the Data Protection Commissioner, Facebook will now allow users across the globe to modify the way they see ads in the site’s own settings instead of utilizing a third party to get the same results. “We’re introducing an additional way for people to turn off this kind of advertising from the ad settings page right on Facebook,” said Facebook Global Deputy CPO Stephen Deadman. “If you choose to use this tool, it will become the master control for online interest-based advertising across all of your devices and browsers where you use Facebook.” Meanwhile, Facebook hopes that a U.S. appeals court will permit its $20 million settlement regarding the “challenge to its use of social media images in advertising features” to stand. [The Independent] [Facebook’s new digital assistant ‘M’ will need to earn your trust

WW – GPEN Finds Apps Collecting Kids’ Info

After examining almost 1,500 apps and websites aimed at children, the Global Privacy Enforcement Network found 67% harvest personal information with only 31% employing controls. Adam Scott of the UK Information Commissioner’s Office said, “The attitude shown by a number of these websites and apps suggested little regard for how anyone’s personal information should be handled, let alone that of children.” Though Canadian Privacy Commissioner Daniel Therrien noted a small number of websites and apps “did not collect any personal information at all, demonstrating it is possible to have a successful, appealing and dynamic product that is also child friendly and worry-free for parents.” Meanwhile, Microsoft is working to ensure children’s privacy regulations are observed in app advertising. [Source] [Kid-friendly websites, mobile apps often putting children’s privacy at risk, probe finds] [Canada’s privacy watchdog’s ‘bad blood’ with Taylor Swift]

WW – TRUSTe Introduces New Opt-Out Feature

TRUSTe has announced its TRUSTed Ads Compliance Manager has a new component: Dynamic Platform Protection. The program employs a “single smart tag” that companies can use to streamline opt-out functions on both desktop and mobile devices. “With the addition of Dynamic Platform Detection, TRUSTe is taking the industry one step closer to a universal opt-out which can be supported and guaranteed across a variety of connected advertising environments.” “Many consumers are embracing the convenience and benefits of connected devices,” said TRUSTe CEO Chris Babel. “However, the use of different tracking technologies to serve relevant ads across these platforms remains a privacy concern for consumers and a challenge to industry seeking to deliver and honor advertising preferences.” [TRUSTe Blog]

WW – Spotify Releases Another New Privacy Policy

Two weeks after negative media and public response led to Spotify CEO Daniel Ek clarifying the company’s privacy policy, the music-streaming service has released a new privacy policy designed to “more clearly state why and when the company will ask for access to information like users’ photos and GPS data—as well as how that information is used.” The new policy, which comes with an easy-to-use table of contents and is in “plain language,” makes it clear that Spotify divides data into two categories: data needed to use the Spotify service and data Spotify can use for extra benefits. This latter category can only be accessed by Spotify with explicit user consent, the policy states. [NBC] See also: [What could derail the wearables revolution? ]

WW – Can the One-Page Privacy Policy Become the Norm?

Online security company AVG Technologies has announced the release of the One-Page Privacy Policy. The policy will take effect October 15 and was first pledged by AVG CEO Gary Kovacs, who promised the Amsterdam-based company would develop a “simple privacy policy that can communicate on one page the basics of what data AVG collects and how AVG uses it,” according to a press release. Kovacs at the same time has challenged others in the industry to follow AVG’s lead and offer the same transparency to users. “Without privacy online, there can be no security; and without security, there can be no trust,” said AVG’s Harvey Anderson. [Source]

Other Jurisdictions

RU – Russian Data Law Fuels Web Surveillance Fears

A new law has been implemented in Russia that in theory demands companies store data about Russian citizens on Russian territory, throwing thousands of firms with online operations into a legal grey area. The law, which came into operation this week, is part of an attempt to wrest control of the internet, which president Vladimir Putin has called a “CIA project”. The Russian authorities are keen to ensure greater access for domestic security services to online data, and lessen the potential for foreign states, especially the US, to have the same access. The law has created disquiet among internet giants such as Facebook, Twitter and Google, which would have to move data on Russian users to servers inside Russia and notify the Russian internet watchdog, Roskomnadzor, about their location. As is often the case with Russian legislation, the exact scope of the law is unclear. It could be left largely unimplemented, but always available as a tool to use when required. [theguardian.com]

HK – HKBN Fined HK$30,000 in “Landmark” Case

Hong Kong Broadband Network (HKBN) has been “fined HK$30,000 in a landmark trial over using customer data for direct marketing despite receiving an opt-out request.” HKBN had pleaded not guilty, the report states, noting this is the first case “since an amendment to the Personal Data (Privacy) Ordinance took effect on April 1, 2013.” The Office of the Privacy Commissioner for Personal Data (PCPD) has received more than 500 complaints about direct marketing since the ordinance was amended, the report states, noting PCPD Stephen Wong has indicated organizations should regularly update their opt-out lists as those convicted “are liable to a maximum fine of HK$500,000 and imprisonment for three years.” HKBN has said it plans to appeal the fine. [The Standard] [Hong Kong Broadband Network received a fine of HK$30,000 for using customer data for direct marketing despite receiving an opt-out request. The fine is the first since amendments to the Personal Data (Privacy) Ordinance went into effect.]

HK – PCPD Finds Benchmark for Prosecution Is High

Privacy Commissioner for Personal Data (PCPD) Stephen Wong said of the 40 cases involving the misuse of data in marketing referred to police in the last two years, “only three have made it to court.” Wong said the “benchmark for prosecution of such cases is high,” the report states. According to a study by the PCPD’s office and the University of Hong Kong, only 30% of complaints can be investigated; while Hong Kong residents are keenly aware of privacy rights, they aren’t as aware of the limitations of privacy law, the report states. Wong said his office receives about 18,000 inquiries a year, and last year received 1,700 complaints. [The Standard]

IN – The Constitutionality of Privacy in India

The Constitution Bench of the Supreme Court of India will soon pronounce whether the right to privacy is fundamental, and while India’s constitution doesn’t explicitly guarantee its citizens a right to privacy, the court has noted that “many of the fundamental rights of citizens can be described as contributing to the right to privacy.” Sudhanshu Ranjan writes, “In many subsequent cases, the right to dignity was held as a non-negotiable right. It is evident that the right to dignity is hollow without the right to privacy.” Though the court is still in this process, the government intends to introduce the DNA Profiling Bill soon, which includes “no safeguard against the misuse of data proposed to be collected under the bill.” [The Asian Age]

WW – Other International News

Privacy (US)

US – Twitter Sued for Alleged Direct Message Interception

A class-action lawsuit has been filed against Twitter, claiming the social networking company “surreptitiously eavesdrops” on users in its direct messaging feature. The suit alleges Twitter intercepts messages without user consent and through its algorithms. When a user sends another user a direct message with a hyperlink included, the suit alleges, Twitter changes the original link to its own custom link without the user seeing the change. The company allegedly benefits from this because it can analyze traffic and offer more relevant advertising. Twitter’s privacy policy says it keeps track of how users send and receive hyperlinks. In addition to halting such a practice, the suit seeks redress and statutory damages under the Electronic Communications Privacy Act. [TechCrunch]

US – Proctortrack Data Deleted

After allegedly breaking its 90-day, post-test deletion promise with Rutgers University, online proctoring software company Verificent deleted the biometric and personal student data gleaned from its Proctortrack program,. “The data has been deleted in compliance with the agreement; spring semester student data was purged on September 1,” said a Rutgers University spokesman, adding, “Any student data obtained during an online exam is used only by Proctortrack to ensure compliance with testing policies” and “notice of the deletion began going out to the more 3,000 students who chose to use the Proctortrack software.” Rutgers has said the company used the academic calendar and holidays to calculate the 90 days, which added to the delay. [Ars Technica]

US – Court Urged to Vacate $8.5M Google Settlement

Activist Theodore Frank has filed papers asking the Ninth Circuit Court of Appeals to vacate an $8.5 million settlement with Google. Frank alleges the settlement, which “requires Google to pay around $6 million to six nonprofits … and more than $2 million to the attorneys who brought the lawsuit” amounts to a payment to attorneys “with a change in accounting entries for another $6 million of Google money from its every-day charitable donations to a … settlement fund.” Meanwhile, a California appeals court has found that the rights of defendants in criminal cases to access “information that will aid in their defense does not extend before trial to social networking posts that are protected under federal law.” [MediaPost]

US – Privacy Scholars Want Spokeo Ruling Upheld

A group of 15 privacy scholars have filed a brief with the Supreme Court regarding Spokeo, Inc v. Robbins. To disallow the class-action against Spokeo would present significant detriment to the Fair Credit Reporting Act (FCRA), they suggest. “The FCRA’s consumer transparency requirements and remedial provisions were designed to encourage steady improvement in consumer reporting practices and to relieve pressure on public enforcement authorities,” the document abstract states, noting, “The Petitioner’s claim that Respondents cannot pursue it for its violations of the FCRA would unravel that bargain, preserving consumer reporting agencies’ broad immunity from suit while diminishing incentives to handle data fairly.” [Paper]

US – White House Weighs in on Spokeo

The news surrounding the Spokeo case continues with the White House throwing its hat in the ring via a 49-page brief that exhorts a Supreme Court ruling in favor of consumers. “Congress could reasonably conclude that the inclusion of false information in a report … should be treated as a legally cognizable injury to the individual consumer involved, even though the precise nature and extent of any later consequential harms may be difficult to verify in individual cases,” the brief states. [MediaPost]

US – Sony, UCLA Health Win in Court

A federal appellate court ruled unanimously that a class-action against Sony claiming the company violated the Video Privacy Protection Act (VPPA) cannot go forward. The court stated the law doesn’t provide a private right of action for retaining records beyond a time limitation, only by divulging that information. A California court cleared the University of California Los Angeles Health System of responsibility for the unauthorized release of a woman’s medical records. The incident occurred when a temporary worker—a “romantic rival”—used a doctor’s username and password to access a woman’s medical records and then texted them to others. [MediaPost]

US – Privacy of Women Seeking Abortions Tested Repeatedly

Anti-abortion groups access information on women seeking abortions and then publish information on their websites. A few years back, Jonathan Bloedow filed a series of requests under Washington state’s Public Records Act asking for details on pregnancies terminated at abortion clinics around the state. For every abortion, he wanted information on the woman’s age and race, where she lived, how long she had been pregnant and how past pregnancies had ended. He also wanted to know about any complications, but he didn’t ask for names. This is all information that Washington’s health department, as those in other states, collects to track vital statistics. Bloedow, is an anti-abortion activist who had previously sued Planned Parenthood, accusing the group of overcharging the government for contraception. The health department had already given him data for one provider, he said, and was on the verge of turning over more information when Planned Parenthood and other clinics sued, arguing that releasing the records would violate health-department rules and privacy laws. The legal skirmish, and others like it nationwide, reveal a quiet evolution in the nation’s abortion battle. Increasingly, abortion opponents are pursuing personal and medical information on women undergoing abortions and the doctors who perform them. They often file complaints with authorities based on what they learn. [ProPublica, seattletimes.com]

US – Privacy Concerns Don’t Curb Use of Classroom Apps

Parents and lawmakers want more safeguards to prevent exposure of student data. Laptops, tablets and smartphones each year play a more prominent role in schools, despite lingering concerns that private companies and government agencies are using such devices to collect massive amounts of data that can be used to profile students. [US News]

Privacy Enhancing Technologies (PETs)

EU – EuroPriSe Awards First Website Certification Seal

A little more than 20 months after the EuroPriSe privacy certification seal changed hands on January 1, 2014, the new operation has awarded its first Website Certification Seal to theWebsite of Versorgungsanstalt des Bundes und der Länder, Germany’s Pension Institution of the Federal Republic and the Länder. Previously, seals were only awarded to IT-based services for confirmation that data processing and collection met European data protection law. . [Privacy Advisor]

WW – Apple iOS9 to Provide Content Blocking

More debates around online privacy are likely to emerge in the coming weeks with Apple’s expected release of its new operating system, iOS9, which will include a new content-blocking feature allowing developers to block cookies, images and other trackers. Apple is also expected to implement new security and encryption features called App Transport Security, essentially providing HTTPS for apps. The move could have profound effects on the ad ecosystem, the report states. [Ad Exchanger] [Apple Moving Forward In App Privacy; Google…Not So Much?]

US – DARPA’s Brandeis Project to Cultivate Privacy Tech

A new privacy-focused project by the Defense Advanced Research Projects Agency (DARPA). Counter to the post-9/11 Total Information Awareness program that was eventually shuttered, “Brandeis” aims to cultivate technology for protecting individual privacy. DARPA Program Director John Launchbury, a cryptographer and computer scientist, said, “Privacy is a key enabler to things we care desperately about, like democracy and innovation.” DARPA is looking to collaborate with leading researchers and entrepreneurs and expects the project to last approximately four-and-a-half years, with a budget in the “tens of millions of dollars.” The early-stage research efforts DARPA will support include advanced cryptography, multiparty differential privacy and artificial intelligence for predicting an individual’s privacy preferences. [The New York Times]

WW – Data Shows Tor Use Booming

According to new online program Onionview, which permits users to see where Tor nodes have been activated, there are now more than 6,000 such systems in use,. “People think that Tor is 10 people running computers in their basements,” said Onionview creator Luke Millanta. “When people see the map,” he said, they can see “what 6,000 nodes around the world looks like.” The data also indicates a five-year peak in Tor nodes. In 2010, the count “consisted of less than 2,000 nodes, compared with 6,425 today,” the report states, adding that Germany and the U.S. lead the world in Tor use. [Wired] [This program lets you snap a photo of whoever’s trying to hack you]

WW – Report: Overheated Rhetoric Creates a ‘Privacy Panic Cycle’ for New Technologies, Warns Policymakers Not to Overreact

The Information Technology and Innovation Foundation (ITIF) today released a comprehensive analysis of how privacy advocates trigger waves of public fear about new technologies in a recurring “privacy panic cycle.” ITIF urged policymakers to recognize these panics and not allow hypothetical, speculative, or unverified claims to distort the policy process or inhibit new innovation. In a new report released today, “The Privacy Panic Cycle: A Guide to Public Fears About New Technologies,” ITIF outlines the stages of public panic and the factors and trends influencing these stages, along with examples of how the panic cycle has repeatedly played out throughout modern history—from the first portable camera to search engines to drones. [Infographic summary of the report] [Full Report] [WASHINGTON PRWEB]

WW – Is Obfuscation the Newest Tool for Privacy Protection?

In an interview with Slate, Finn Brunton, co-author of Obfuscation: A User’s Guide for Privacy and Protest, with fellow NYU Prof. Helen Nissenbaum, discusses the nature of online privacy and a new tactic—obfuscation—in the fight for relative Internet ambiguity. In their book, Brunton and Nissenbaum describe obfuscation as “the deliberate addition of ambiguous, confusing or misleading information to interfere with surveillance and data collection,” the report states. “Part of what we like about obfuscation is that it’s an approach that doesn’t rely on perfect technology perfectly implemented, or everyone getting onboard at the same time,” Brunton notes, adding it’s “not a replacement, but rather a supplement, a complement that we would see added to the existing toolkit of privacy protection practices.” [Full Story]

RFID / IoT

WW – Forum Stresses Importance of Industry, Gov’t Efforts

To date, the debate on Internet of Things (IoT) technologies has focused on companies’ abilities to keep their Internet-connected devices secure and government efforts to make sure proper privacy protections are in place. But at last week’s Security of Things Forum, both government and industry panelists said industry has to do more to protect consumers. That’s because consumers don’t always totally understand the privacy implications at hand when using IoT devices. But Andrea Matwyshyn, a law professor at Northeastern University, also said regulators have to be careful when policy-making that they understand the technology as well, or risk overregulating. “In this case, we need a regulatory scalpel, not a regulatory axe,” she said. [The Christian Science Monitor] Republican commissioners from the FTC and the FCC warn the FCC’s move into the FTC’s Internet privacy jurisdiction will lead to excessive enforcement and uncertainty,.

Security

US – NCSC Launches Spear-Phishing Awareness Campaign

During the Intelligence & National Security Summit, Bill Evanina, director of the National Counterintelligence and Security Center (NCSC), introduced the NCSC’s new Know the Risk, Raise Your Shield campaign to raise spear-phishing awareness. Evanina said “91 percent of the breaches we’ve seen in the last few years have emanated from spear phishing,” adding, “Our adversaries do not need to use sophisticated attacks—it all starts with e-mails.” Understanding the danger of clicking mysterious links is “something we all need to do,” he said, noting, “If just a few people don’t click the link, it could prevent another huge breach in the future.” [Ars Technica]

WW – Cloud Security Alliance Proposes Threat-Sharing Scheme

Aiming to help organizations report threats, the Cloud Security Alliance is proposing establishing a scheme that would allow for the anonymous sharing of information. The Cloud Cyber Incident Sharing Centre would take in threat information and then, using algorithms, would “provide near-real-time correlation with reports supplied by other vetted members. If similarities are discovered, members can be alerted and provided with the related reports that contain additional attack indicators, valuable context and mitigation advice,” reads a CSA white paper outlining the proposal. Threat-sharing is especially important for the cloud industry because of how harmful a widespread attack could be given the cloud’s central role in IT structures. [Full Story]

US – OMB Guidance on Federal Contractor Cybersecurity is Lenient and Vague

The US Office of management and Budget’s draft guidance on cybersecurity for federal contractors is facing criticism for being too lenient and too vague. In a letter responding to the draft, the US Chamber of Commerce wrote, “The guidance needs to be dynamic and not become an ossified checklist of requirements that fails to respond to actual threats.” And the US Professional Services Council called the guidance “too little, too late, and too flexible.” [FederalTimes] [The Hill] [WeLiveSecurity] [FedScoop]

US – CA Welcomes New Cybersecurity Center

Governor Jerry Brown (CA-D) signed into existence the California Cybersecurity Integration Center, a new agency with a chief goal of protecting the data of state organizations from breaches. “The center will serve as a central hub for the state’s online security and coordinate with state departments, federal agencies and tribal governments, utilities and other service providers, academic institutions and non-governmental organizations,” the report continues, adding that the move follows instances of IT non-compliance found by state auditors. [CBS Sacramento]

WW – Baby Monitors Not Secure: Study

According to a study from Rapid7, several Internet-connected baby monitors lack basic security. Some of the monitors do not encrypt their data streams, and some use unchangeable administrator passwords, which are easy to obtain. Because the monitors are Internet-connected, once compromised, they could be used to jump to other devices on the same network. “Eight of the nine cameras got an F and one got a D-minus,” said researcher Mark Stanislav.” [Fusion] [The Hill] [The Register] [ZDNet] [Rapid7 Paper]

WW – Microsoft Paper Says EHR Databases, Even Encrypted, Aren’t Safe

According to a new study by Microsoft, many types of electronic medical record databases are vulnerable to data leaks even if they’re encrypted. In the paper, researchers describe gaining access to such information as sex, race, age and admission information using actual patient records from 200 U.S. hospitals, the report states. Given that, the researchers recommend such databases not be used, the paper states. The risk lies in that encrypted data must be decrypted often to be effective, and that data gets stored in a computer’s memory, which would be dangerous if cybercriminals gained access. The paper will be presented at a security conference next month. [IDG News Service] [Microsoft researchers warn that some encrypted databases used for medical records aren’t so secure]

Surveillance

WW – UN’s Cannataci on Lack of Surveillance Oversight

UN Special Rapporteur on Privacy Joseph Cannataci said the lack of oversight for UK surveillance activities is “worse than a bad joke” and possibly “downright dangerous.” Specifically, he said the three bodies with oversight powers, the Information Commissioner’s Office, the Intelligence and Security Committee and the Investigatory Powers Tribunal, are all under-resourced and incapable of undertaking the work necessary to keep in check “one of the largest intelligence set-ups in the Western world.” [Full Story] [UK: Man fined for flying drone at football matches and Buckingham Palace]

US – NSA Bulk Call Records Collection Extended for Last Time

The NSA’s controversial program for the bulk collection of domestic phone call records has been granted extension for the last time, according to documents released. Under an order  by the secret Foreign Intelligence Surveillance Court, the NSA is now allowed to continue collecting the data for a three-month period until Nov. 28. The permission was extended in June to Aug. 28. U.S. President Barack Obama approved as law in June the USA Freedom Act, legislation that reins in the program by leaving the phone records database in the hands of the telecommunications operators, while allowing only a targeted search of the data by the NSA for investigations. While some provisions of the Act took effect immediately upon enactment, the ban on bulk collection of call records allowed for a 180-day transition of the program. After Nov. 28, the NSA’s access to phone data collected so far, for the purpose of analysis, will end, according to a joint statement by the Department of Justice and the Office of the Director of National Intelligence. The data will, however, not be immediately deleted. If the court approves, the agency aims to keep the data for another three months and give technical personnel access to it “solely for data integrity purposes to verify the records produced under the new targeted production mechanism” permitted by the USA Freedom Act. In a related development, the U.S. Court of Appeals for the District of Columbia Circuit reversed a preliminary injunction on the collection of phone records by Judge Richard Leon of the U.S. District Court for the District of Columbia. The judge had earlier ruled that the NSA’s bulk collection of domestic phone records likely violated the U.S. Constitution. [pcworld.com] [Judges seem hesitant to stop NSA bulk collection before ban takes effect] The U.S. Court of Appeals for the District of Columbia Circuit Court ruled that the National Security Agency’s collection of metadata under the USA Freedom Act could continue until the bill’s expiration in November.

US – Vodafone Accessed Australian Journalist’s Phone Records

Vodafone failed to inform a Fairfax journalist that her phone records had been accessed by the company in a bid to uncover the source of her stories, despite senior staff acknowledging that the conduct was potentially illegal. The telco giant admitted in a statement that one of its employees had accessed “some recent text messages and call records” of investigative journalist Natalie O’Brien in January 2011. But O’Brien said the telco giant never informed her of the breach, which occurred shortly after she exposed major security flaws with Vodafone’s Siebel data system in a page one story on January 9, 2011. [stuff.co.nz]

CO – Colombia’s Spy Agencies Collecting Bulk Data Without Warrants

Intelligence agencies in Colombia have been building robust tools to automatically collect vast amounts of data without judicial warrants and in defiance of a pledge to better protect privacy following a series of domestic spying scandals, according to a new report by Privacy International. The report published by the London-based advocacy group provides a comprehensive look at the reach and questionable oversight of surveillance technologies as used by police and state security agencies in Colombia. One tool developed is capable of monitoring 3G phone cell and trunk lines carrying voice and data communications for the whole country, according to the report. The system, called Integrated Record System, was built by police intelligence starting in 2005 and had the capacity of collecting 100 million cell data and 20 million text message records per day without service providers’ knowledge, according to the report’s authors. The report doesn’t say how the technology was used but such mass, automated collection of data isn’t explicitly authorized under Colombian law, according to the group, which based its findings on purchase orders and documents, many never seen before, and confidential testimony by people working in Colombia’s vast surveillance industry.[usnews.com]

US – Twitter Hit With Class Action Lawsuit for Eavesdropping on Direct Messages

To most Twitter users, URL link shorteners are a convenient way to stuff more into a 140-character message. But a proposed class action lawsuit filed this week alleges that the social media service is using them in violation of the Electronic Communications Privacy Act and California’s privacy law. The complaint brought in federal court in San Francisco from Wilford Raney and others similarly situated is claiming that despite Twitter’s assurances that users are allowed to “talk privately” among one another, “Twitter surreptitiously eavesdrops on its users’ private Direct Message communications. As soon as a user sends a Direct Message, Twitter intercepts, reads, and, at times, even alters the message.” The lawsuit uses a link to The New York Times as an example.  The new lawsuit aims to represent two classes — every American on Twitter who has ever received a direct message and every American on Twitter who has ever sent a direct message. The claimed damages are as high as $100 per day for each Twitter user whose privacy was violated. Here’s the full complaint. [Hollywood Reporter]

Telecom / TV

US – CBBB to Enforce Mobile Ad Space

September 1 marked the beginning of a new enforcement regime in the mobile ad space as the Council of Better Business Bureau’s (CBBB) Online Interest-Based Advertising Accountability Program starts cracking down on the Digital Advertising Alliance’s Self-Regulatory Principles in the mobile environment. With exclusive comments from the CBBB’s Accountability Program Vice President and Director Genie Barton, this report examines what the CBBB will focus on enforcing and what businesses and app developers need to know in order to avoid an unwanted self-regulatory knock at the door. [The Privacy Advisor]

US – Justice Department Tightens Stingray Rules

The US Justice Department (DOJ) has published a new policy regarding its use of cell-site simulator devices commonly known as Stingrays. Government agents will need to obtain a warrant before using the technology to locate mobile devices. They will be prohibited from gathering communication content, including pictures, and must regularly purge the data they do collect. [The Hill] [ComputerWorld] [Wired] [Ars Technica] [DOJ Policy Guidance]

US – New DoJ Stingray Policy Falls Short, Advocates Say

The Department of Justice (DoJ) has announced a new policy for its use of cell-site simulators—known as stingrays—according to a DoJ press release. The policy requires law enforcement to obtain a warrant before deploying the technology. “Cell-site simulator technology has been instrumental in aiding law enforcement in a broad array of investigations, including kidnappings, fugitive investigations and complicated narcotics cases,” said Deputy Attorney General Sally Quillian Yates. “This new policy ensures our protocols for this technology are consistent, well-managed and respectful of individuals’ privacy and civil liberties.” The department-wide policy goes into effect immediately. Privacy advocates, however, say the new policy is flawed because of “substantial loopholes.” [Full Story

US Government Programs

US – Congress Eyes Privacy Rights For Non-U.S. Citizens

Lawmakers and tech companies — including Google — are calling for the U.S. to extend certain Privacy Act rights to non-U.S. citizens. At issue is a data sharing “umbrella agreement” that U.S. and European Union negotiators agreed to earlier this week. The E.U. says that if Congress does not pass legislation extending the right to seek legal redress for privacy violations to non-U.S. citizens, the agreement is a no-go. The Judicial Redress Act, introduced by Sen. Chris Murphy (D-Conn.) and co-sponsored by Sen. Orrin Hatch (R-Utah), would allow the Attorney General to work with other agencies to designate certain countries whose citizens would have the right to enforce their data protection rights in U.S. courts. The lawmakers have cast the bill as urgent in light of its significance in the umbrella agreement negotiations. [The Hill]

US – IG: DHS Needs To Bolster Systems

The inspector general (IG) in charge of reviewing the Department of Homeland Security (DHS) issued a new report this week saying that the agency needs to improve the security of its information systems and establish a cyber-training program for analysts and investigators. “Without developing the department-wide training program, component personnel may not possess the skills necessary to perform their assigned incident response duties or investigative responsibilities in the event of a cyber attack,” the IG report states, adding, “We identified vulnerabilities on internal websites … that may allow unauthorized individuals to gain access to sensitive data.” The audit did say, however, that the DHS has improved coordination between agencies and set out nine recommendations for improvement. [Reuters]

US – NATGRID Database Rings Alarm Bells

The government is developing the National Intelligence Grid (NATGRID), which will fuse 21 personal information databases of Indian citizens, as well as National Population Register (NPR) information and biometric data from the Unique Identification Authority of India (UIDAI), accounting for 1.2 billion people. “The government’s defense is that it can anyway get access to such information under the Code of Criminal Procedure and NATGRID will expedite the process,” the report states. With the privacy and data protection bill still not approved after four years, the report suggests “the government wants to buy more time till UIDAI and the NPR complete the process of capturing biometric data in the entire country.” [The Business Standard]

US Legislation

US – Senate Judiciary Set to Consider ECPA Reform

A coming Senate Judiciary hearing on reforming the Electronic Communications Privacy Act (ECPA), will see legislators looking back to the 1967 Supreme Court case Katz v. United States to “revisit the ECPA’s roots” instead of simply reforming the “flawed” 1986 statute. The full committee hearing is set for 10 a.m. EST and will feature two panels of witnesses, including representatives from the Department of Justice, SEC and FTC, as well as the Tennessee Bureau of Investigation, Google, the Center for Democracy & Technology and the Software Alliance. [Full Story]

US – Senators Consider Legislation to Fight Taxpayer ID Theft

The recent IRS breach affecting more than 300,000 individuals has inspired the Senate Finance Committee to develop bipartisan taxpayer identity-fraud legislation, which will be debated Wednesday. “We need to do a better job of protecting taxpayers,” said Sen. Ron Wyden (D-OR). The bill would aim to “enhance taxpayer notifications regarding identity theft, push employers to file tax forms earlier and improve the electronic tax-filing system to speed processing and uncover more fraud” while intensifying sanctions for criminals. Meanwhile, the IRS confirmed that, for tax purposes, breach victims do not need to report identity-theft protection they receive. [The Hill]

US – Other Legislative News

Workplace Privacy

WW – Survey: Employees Know Risks But Aren’t Protecting Data

A Wakefield Research survey on behalf of Citrix Systems finds that breach awareness versus employee-to-employee breach defensiveness is growing disproportionately. While “U.S. workers are aware of threats to security and data and are feeling vulnerable … many fail to take basic security steps to protect their data … and some are not confident their companies are focused enough on the issue,” the report states. The survey found that 92% of “American workers believe security and data protection are priorities for the companies they work for,” but “88% believe companies say their data is more secure than it actually is,” the report states. [eWeek]

US – NFL Players Get Bugged

Some National Football League (NFL) teams now employ technology company Zebra’s radio frequency identification device (RFID), a uniform-attached tracking mechanism that collects data that may impact NFL goings-on from practice schedules to betting. “Every movement of every player now could be monitored within an accuracy level of all but a few inches,” the report states, adding, “But its most unexpected impact will have nothing to do with sports at all … Fortune 500 companies are watching the NFL closely, examining how they might incorporate the RFID chip to monitor every move of their onsite employees from the construction site, the office and beyond.” [Ars Technica] [How the NFL—not the NSA—is impacting data gathering well beyond the gridiron] SEE ALSO: [CBC News: How games, social media are changing the hiring game] | [CBC News: How new data-collection technology might change office culture] |  [CBC News: WW – Companies Monitoring Personal Time, for ‘Self-Improvement’]

CA – OFL Employees Demand Their Office Be Checked for Concealed Cameras

The discovery of a camera hidden in an exit sign at the Ontario Federation of Labour has prompted shaken employees to demand a complete electronic sweep of their office. Meanwhile, concerns have also been raised about other cameras contained in what appear to just be smoke detectors in public areas of the building, partly owned by the OFL. The Star has learned the demand for an office sweep is included in a grievance filed by the Canadian Office and Professional Employees Union (COPE), the union representing the employees. The grievance is scheduled to go to arbitration on Oct. 8. An email statement said that “every security camera in the OFL building is located in a public area where no one would have the expectation of privacy, and each security camera is trained on an entrance, a stairwell or an elevator.” “They are not, and have never been, used to monitor or discipline staff of the OFL or the OntFed building. These security cameras were installed on the advice of police because of persistent situations involving intruders who were harassing staff of the building and because of break-ins and thefts in the building.” [The Star] [US man loses job offer after sending naked selfies to boss]

+++

16-31 August 2015

Biometrics

AU – Australian Government to Debut Facial Recognition Database

By next year, the Australian government expects to have a plan in place for law-enforcement agencies to share facial-recognition data. As they try to battle organized crime, the report says, law-enforcement officials have been working on a national facial recognition database, which will initially be focused on matching faces to known criminals and then expand to match the faces of unknown criminals in footage or images to those in the general population via images collected for identity documents. The government currently holds some 100 million such images. At least six federal agencies will be able to access the database when it goes live. [IT News]

AU – Portable Fingerprint Devices on NSW’s Horizon

New South Wales (NSW) police are on the lookout for portable fingerprint scanners that are compatible with Samsung Note 4, a move that will cause minimal privacy waves. The search for the scanners was catalyzed by the police department’s desire to streamline the identity-check process, the report states, noting that while “there has also been strenuous ongoing debate in the country about associated privacy and civil rights issues … the NSW Police efforts in this case are fairly incremental … and are unlikely to spark a major controversy, at least until the police actually start using fingerprint sensors in the field.” [MobileIDWorld]

WW – Facebook Launches Facial Recognition Tool

Facebook has launched a facial recognition tool in India that it withheld in Europe due to privacy concerns. “Moments” groups photo albums together using face recognition algorithms and allows users to search for photos of themselves and friends. American users are already using the tool. In June, Facebook said EU laws prevented it from releasing the app in Europe; regulators told the company it must offer an opt-in choice before unveiling. [Planet Biometrics]

Big Data

WW – Protecting Privacy Shouldn’t Be an Afterthought

Privacy must be the foundation of the Internet of Things (IoT) as its technology develops, and in order to quell user trepidation, the matter of how to do that “deserves serious thought.” “Privacy, security and trust cannot be an IoT afterthought—after all, these devices are collecting our stories,” the report states, noting data should be thought of as stories that generate insights for those seeking to market products to individuals. “Security has to be baked into the core platform from the beginning in order to explicitly manage what is happening to the information collected, who controls it, who has access to it and what is done with it,” the report states. [Information Age]

Canada

CA – Canada Privacy Commissioner Issues BYOD Warning for Businesses

The Office of the Privacy Commissioner of Canada, alongside counterparts from British Columbia and Alberta, have issued a document offering guidance for companies looking to implement BYOD programs. Citing “an increased blurring of the lines between professional and personal lives” and “employee concerns that privacy is at risk”, the 16 page missive goes through the various stages of rollout, from getting senior management onside, to privacy impact and threat risk assessments, and testing and enforcing policy. [Appstech News] The Offices of the Privacy Commissioner and of the BC and Alberta Information and Privacy Commissioners have created new guidelines for BYOD programs.

CA – BC Commissioner Calls for Compulsory Reporting, Privacy Training

BC Information and Privacy Commissioner Elizabeth Denham believes the province should require mandatory privacy breach reporting. Because BC still has voluntary breach reporting, “Denham said she has no way of knowing whether she’s hearing about all serious cases or whether citizens and consumers are being properly notified,” the report states. Meanwhile, in St. Johns, an attorney has filed a class-action against Kiewit Energy over a privacy breach, and The Canadian Press reports on the call for improved Internet privacy training for both government and private-sector employees to help prevent breaches. “Online privacy awareness training is crucial to protect not only the employees but the employers’ reputation,” said University of Ottawa’s Karen Eltis. [Times Colonist] [Watchdog urges compulsory reporting of B.C. privacy breaches]

CA – Senate Reports Point to Tory Privacy Priorities

Newly released Senate committee reports provide a glimpse into Conservatives’ privacy policy priorities, writes Michael Geist. Specifically, the Senate Committee on National Security and Defence released two reports recommending a “massive expansion in the collection and sharing of biometric information” at the borders and “examining training and certification of imams in Canada.” While the reports acknowledge potential privacy issues, they offer, Geist says, few protective measures other than “appropriate oversight.” [The Tyee]

CA – Toronto Police Curb Disclosure of Suicide Attempts to U.S. Border Police

Following a highly critical report and unprecedented legal action by Ontario’s privacy commissioner, Toronto police have taken steps to keep U.S. border police from automatically accessing records about a Canadian’s suicide attempts — sensitive personal information that could result in being denied entry. In a report to the Toronto police board released this week, Chief Mark Saunders outlined changes made in the wake of Cavoukian’s 2014 report, Crossing the Line, which chronicled the experiences of Ontarians refused entry into the U.S. based on a past suicide attempt. Cavoukian’s report and a Star investigation probed how U.S. border guards were being alerted to prior suicide attempts through the Canadian Police Information System (CPIC), a national police database operated by the RCMP. In his letter to the board, Saunders described new protocol that “balances public safety with the need to protect Canadians’ privacy” by setting stricter limits on what information can be viewable by U.S. Customs and Border Protection through CPIC. It’s a different solution than Cavoukian’s, which suggested Toronto police halt the practice of automatically uploading or disclosing personal information through CPIC related to suicide threats or attempts. Insistent that a record needs to be shared with other police forces — information about previous suicide attempts or threats “can be instrumental in managing potential risk to the public, the officer and, importantly, the person in crisis,” Saunders writes — Toronto police instead worked with the RCMP to develop a new CPIC function that blocks U.S. border officials from accessing certain information. [thestar.com]

CA – Expert: ‘Dangerous’ Alberta Court of Appeal Precedent Will Promote Government Secrecy

Alberta’s information commissioner is appealing a ruling to the Supreme Court of Canada which significantly limits her powers to hold the government accountable. It also sets a precedent which one expert says could lead to increased secrecy at government ministries across Canada. In April, the Alberta Court of Appeal ruled information and privacy commissioner Jill Clayton does not have the legal authority to compel public organizations – such as government ministries – to hand over records which it claims are subject to solicitor-client privilege. Ottawa lawyer and freedom-of-information expert Michel Drapeau called the ruling a “very, very dangerous precedent” which he believes will be frequently abused by governments seeking to evade transparency and accountability. “We will only receive information which a government institution decides we are entitled to,” Drapeau said. “(Ministries) will block the rest of it by using this very convenient tool: solicitor-client privilege.” [CBC News] Alberta Information and Privacy Commissioner Jill Clayton is appealing a ruling that “significantly limits her powers to hold the government accountable” to Canada’s Supreme Court.

CA – Nova Scotia Judge Reserves Decision on Law Inspired by Rehtaeh Parsons

Arguments have now concluded about the constitutionality of Nova Scotia’s ground-breaking legislation designed to combat cyberbullying. After a day and a half of arguments from lawyers, Justice Glen MacDougall reserved his decision to a later date. Privacy lawyer David Fraser brought the Charter challenge to the Nova Scotia Supreme Court, saying the 2013 provincial statute violates Sections 2b and 7 of the Canadian Charter of Rights and Freedoms. Those sections pertain to the freedom of expression and the right to life, liberty and the security of person. “The definition of cyberbullying is too broad and is defective,” said Fraser. He argued in court that any comment made online that could hurt a person’s feelings may constitute cyberbullying. That could result in sweeping communication restrictions to the person who made the comments, Fraser argued. The current legislation, he said, captures everything from political advertising to benign online commentary. Legislation passed at 2013 In defence of the Cyber-Safety Act on behalf of the Attorney General, lawyer Debbie Brown argued the legislation does not infringe on any rights, and that any infringement that does exist is reasonable. Brown told the court that Freedom of Expression protects three categories of speech:

  1. Pursuit of truth
  2. Participation in social or political decision making
  3. Self-fulfillment

She argued that cyberbullying — in this specific case and in general — rarely falls into any of these three categories. If the speech is not protected by the Charter, the Act should be allowed to stand, Brown said. Lawyers also tackled a procedural issue. Court orders issued under the current Act can be enforced “ex parte”, meaning without comments from both parties involved. Victims can request a court order under the act, without the accused being notified. That means the first notice an accused cyber-bully may receive, is a document served by police immediately restricting their online communication. Justice Glen MacDougall did not give a precise date when he may return with a decision. [Source]

CA – Privacy Commissioner Investigates Ashley Madison Data Breach

The Office of the Privacy Commissioner “has commenced an investigation into the matter concerning (Ashley Madison owner) Avid Life Media.” Last week, hackers leaked the personal information of 39 million Ashley Madison users, including emails, credit card information and sexual preferences. “Given that the company is based in Canada, and considering the global scope of the incident, our office will be investigating jointly with the Office of the Australian Information Commissioner, and in cooperation with other international counterparts,” Lawton said. [Source]

CA – Feds Consider Scheme to Circumvent Effect of Ruling That Curbs Police Access to Internet Subscriber Data

A new administrative scheme that would allow police to obtain basic information about Internet subscribers without a warrant is one option being considered by federal officials following a landmark Supreme Court ruling that curbed access to such data, Canadian police chiefs say. The glimpse into federal deliberations about how to address the highly influential court decision comes in a newly published background document from the Canadian Association of Chiefs of Police, which is urging the government to fill the legislative gap. [The Star]

SK – A Look at the Latest PIPA Amendment

The Personal Information Protection Act (PIPA) has been amended. “As a result of the amendment, organisations that experience a data breach could find themselves faced with court-awarded damages of up to three times the actual damage caused” by the breach, the report states. Once the amendment goes into effect, it is expected it “will lead to a sharp increase in liability lawsuits following personal data breaches. With some organisations holding millions of customers’ data, the enormous potential fine should in turn encourage organisations and others who hold personal data to take greater care to protect personal information,” the report states. [ReedSmith’s Technology Law Dispatch]

CA – Roundup: Courts, Commissioners Take Action

Alberta Information and Privacy Commissioner Jill Clayton is appealing a ruling that “significantly limits her powers to hold the government accountable” to Canada’s Supreme Court. University of King’s College’s Dean Jobb writes on an “about face” on police disclosures of those who have died as a result of violent crimes. Tthe Ontario Office of the Information and Privacy Commissioner has found “no evidence of tampering or interference with documents requested“ by the newspaper. And in Saskatchewan, the Office of the Information and Privacy Commissioner found a healthcare employee’s privacy was breached “when his personal information was shared by his employer, the health region and the health ministry.” Meanwhile, in Toronto, “police have taken steps to keep U.S. border police from automatically accessing records about a Canadian’s suicide attempts.” [CBC News]

CA – IPC: Letter to Minister Proposes MFIPPA Amendment

In a letter to the Honourable Ted McMeekin, Minister of Municipal Affairs and Housing, the Ontario Commissioner applauds the ministry for engaging the public and other stakeholders in its review of Ontario’s municipal legislation. Recognizing this process as an opportunity to improve accountability and transparency, he recommends amendments to the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) relating to municipal councillors’ records. The proposed amendment would broaden the scope of information accessible under MFIPPA. The Commissioner has offered his continued assistance to the minister and his staff. He also asks that our office be consulted on any reforms that involve new collection, use or disclosure of personal information or personal health information. [Source] SEE ALSO: When the Ontario Legislature resumes its sitting in September, it will be looking at the Police Record Checks Reform Act 2015.

CA – Other Privacy News

Consumer

US – Millennials, Others Concerned About Privacy

According to a study by security corporation Intercede, less than five percent of 16- to 35-year-olds in the U.S. and UK trust that their digital identities are adequately protected, with 70 percent believing that these online risks aren’t going anywhere soon. Lubna Dajani, a digital technologist, noted, “Businesses and governments should urgently review current security protocols or else risk the potential to drive innovation and growth.” And The Telegraph reports Google search data indicates concern among UK residents in the wake of recent breaches. Meanwhile, InfoWorldprovides tips on how to protect anonymity online. [ComputerWeekly]

E-Government

AU – NSW Data Collection Plan Involves Privacy Input

New South Wales (NSW) has a “plan for a whole-of-government data analytics centre,” suggesting that while it highlights “the potential of big data to influence and inform government policy decisions … it’s good to see that a steering committee, composed of NSW’s privacy commissioner, chief scientist, customer service commissioner and information commissioner, has been established to oversee the centre’s ­establishment.” The report calls the involvement of privacy experts “absolutely crucial ­because harnessing big data does have its complications”—specifically addressing consumers’ rights and interests, noting that even with anonymous data, “data analytics increasingly gives organisations the ability to drill down to monitor and understand individual behaviour, often without the awareness of those being observed.” [Technology Spectator]

AU – Research: Government Failing on PIAs

The government “has failed to conduct proper privacy impact assessments (PIAs) on almost 90% of the national security measures it has passed in the last 14 years.” That’s according to independent research by privacy advocate Roger Clarke, the report states, noting that since the Sept. 11, 2001, terrorist attacks, “Australia has passed about 72 security-related measures—from increasing electronic spying, to metadata and biometrics,” but “only 20 of those laws had any kind of PIA, and of those, half were done in secret without any public consultation,” Clarke said, “The track record of government agencies is appalling on this matter.” [ABC News] [AU – Government failed to conduct privacy impact assessments on 90pc of security measures]

EU – Should Government Publish New Citizen Data?

Activists are expressing concern about an Irish government policy of publishing the names and addresses of new citizens in Iris Oifigiúil, the official government register. Digital Rights Ireland believes the practice, which has been in place since at least 2005, is in breach of EU law. However, the practice was reviewed in 2011 by the Minister for Justice and it was decided the practice is mandated by a 1956 Act. The Data Protection Commissioner found, too, that the processing of personal information in this way is exempt from the Data Protection Act. In response, the Migrant Rights Centre Ireland has said they are “astounded” that the government has made this information so easily accessible. [Irish Times] See Also: [Government surveillance of citizens a troubling trend in Canada] and [Micro-targeting is a political tool that can help parties win]

US – Audit Finds Dozens of CA Agencies Noncompliant

Dozens of California state agencies have not fully complied with cybersecurity standards designed to protect Social Security numbers, health records, income tax information and other sensitive data from hackers. That’s according to a report released by auditor Elaine Howl. The audit found 37 executive branch agencies that told the Department of Technology they met security requirements hadn’t done so, and eight won’t finish the necessary tasks until 2020, the report states. Howle’s “high-risk update,” which doesn’t name the agencies, “raised questions about the technology department’s oversight in light of high-profile breaches elsewhere that have exposed confidential records maintained by public agencies,” the report states. [The Recorder]

WW – Other Privacy News

E-Mail

WW – Study: Millennials Dubious About Their Privacy

According to a study by security corporation Intercede, less than 5% of 16- to 35-year-olds in the U.S. and UK trust that their digital identities are adequately protected, with 70% believing that these online risks aren’t going anywhere soon. “Millennials have been digitally spoon-fed since birth, yet a general malaise is brewing among this demographic in terms of how safe their online data really is,” said Lubna Dajani, a digital technologist, adding, “Businesses and governments should urgently review current security protocols or else risk the potential to drive innovation and growth.” [ComputerWeekly]

[US: Why Don’t Huge Privacy Flaws Result In Recalled Smartphones? ] [Privacy focused Blackphone 2 Is Now Available For Pre-Booking] [‘Butt-dial’ saves teen’s life in Tennessee ]

Electronic Records

WW – EHRs Pose Challenges for Privacy, Accuracy of Records

As healthcare providers switch to electronic health records (EHRs), methods for controlling access and accuracy are needed. The Intercept highlights stories of patients’ mental health records being accessed by individuals the patients did not expect to have access—for example, through an open EHR system in an effort toward increased efficiency or through a company’s health-incentive program. Data-matching is also a challenge, with the growth of EHRs and the push for a secure national health data exchange, there is a need for new methods, “such as new algorithms” to improve the process. Meanwhile, Intel and the Knight Cancer Institute recently announced the Collaborative Cancer Cloud, which uses data analysis to advance cancer care. [The Intercept]

EU Developments

EU – Coalition Calls on EU to Strike Part of GDPR

A broad industry coalition is lobbying the European Union to strike out part of the General Data Protection Regulation that could force companies to deny requests for personal data from non-member countries. Article 43a of the regulation says companies should not always comply with requests from courts, tribunals and administrative authorities in non-EU countries for the personal data of Europeans—except under law enforcement treaties or relevant agreements between those countries and the EU. The clause could create a quagmire for global companies, according to the Industry Coalition for Data Protection, whose members include Apple, Google and AT&T. It asks that the issues be dealt with in the data protection directive rather than the regulation. [Politico]

UK – Preparing for the GDPR and the Value of Privacy

UK Information Commissioner Christopher Graham discusses the EU General Data Protection Regulation (GDPR). Graham contrasts his office’s enforcement capabilities with those of the U.S. FTC, which he says can impose “eye-watering fines, which has a major effect in protecting privacy,” while “the most I can fine anyone … is half a million pounds. The FTC wouldn’t cross the road for half a million pounds or dollars.” Meanwhile, Krux’s Joe Reid writes forFourth Source about provisions expected in the forthcoming GDPR and the value of privacy for businesses, noting, “The ability of a business to keep its customer data safe is increasingly becoming a differentiator.” And Computer Weekly reports that “prudent businesses” in the UK “are considering and planning for the new regulation right now.” [Computing]

UK – ICO Wants Links to Stories about RTBF Requests Removed

Since the EU’s embrace of the right to be forgotten, reports citing specific examples of story-removal requests have begun spurring interest in the stories set to be removed. As such, the UK Information Commissioner’s Office has requested Google take down links to those article-removal-request stories as well. The move “could provide an example for other countries, potentially provoking a new wave of takedown requests of stories about takedown requests and a subsequent wave of stories about those new requests,” the report states, adding, “That will also give ammunition to both free speech advocates and privacy activists in their tussle over where to draw the line between privacy and the public’s right to know.” [The Wall Street Journal]

UK – Councils Respond to Breach Report

Local councils are responding to the recent Big Brother Watch report on more than 4,000 data protection breaches by councils in the past three years, with one spokesman stating, “We have a legal, moral and ethical duty to properly take care of personal information. As an organisation which processes hundreds of pieces of data every day, we take that responsibility very seriously.” [Burton Mail] Meanwhile, the Information Commissioner’s Office (ICO) has given Central Bedfordshire Council a “limited assurance” rating following a data protection audit. “The ICO advised that the council take action to better its data sharing practises, records management and training and awareness,” the report states. [Digital by Default News]

EU – DPC: Current Laws Keep Cab CCTV Footage Out of Court

Although the National Transport Authority has put forward proposals for public input to make CCTV mandatory in taxis, in-cab surveillance footage is inadmissible in Irish courts under current law. “Technically,” an Office of the Data Protection Commissioner (ODPC) spokeswoman said, “it’s just another individual. They would be inadmissible in a court, because they had no consent from the other person to record it, so they wouldn’t be able to use it.” The ODPC spokeswoman added, “It wouldn’t be of use unless the regulation changes and they are allowed to have CCTV footage and they become the data controller of the CCTV footage.” [Herald.ie]

EU – DPA Fines Data Seller, Purchaser

The Bavarian Data Protection Authority (DPA) recently fined both a seller and purchaser “for unlawfully transferring customer data as part of an asset deal. Citing the economic value of customer data, the report notes, “It frequently happens that a company tries to sell these high-value assets to another company as part of an asset deal.” In the Bavaria DPA case, the report states, “transferring customer email addresses requires prior customer consent or, alternatively, customers must be informed of the intent to carry out such a transaction beforehand to give them the opportunity to object.” While exact penalties were not released, the DPA “confirmed they were both five-figure sums and emphasised that the penalties were significant and incontestable.” [JD Supra] The National Law Review reports that the German Chamber of Commerce and Industry has “expressed doubts over the appropriateness” of a governmental draft data retention bill.

UK – Elton John Pursues Privacy Law Case Against French Media

Elton John is taking legal action in France over “unfounded reports” about his and husband David Furnish’s private life. Lawyers for the singer have pledged to take action against three French media outlets after they published rumours about John’s health. A legal rep for John and Furnish said that his clients “have instructed my office to pursue through the justice system the violation of the right to respect for their private life due to the publishing by Closermag.fr, TeleStar.fr and VSD of unfounded rumours about their health”. He added that the two men “will no longer tolerate the violation of their privacy and the exploitation of their renown and their image for commercial ends in France”. [Source]

Filtering

CN – 15,000 Suspected Cybercriminals Arrested

In an attempt at “cleaning up the Internet,” the Chinese government arrested 15,000 alleged cybercriminals. “The Chinese have gotten increasingly worried that they do not have the right kind of regulations, protections and responses in place,” said the Council on Foreign Relations’ Adam Segal. “There is a real sense that there needed to be some type of regulatory response to potential attacks.” The move is among other recent Chinese gestures in an attempt to drum up a greater privacy presence, including the announcement of “cyberpolice units” installed at major corporations and a data protection draft law. [PYMNTS]

WW – Twitter Implements “Right To Be Forgotten” for Politicians’ Tweets

Twitter blocks accounts that keep tweets deleted by politicians, saying their rights are more important than society’s right to know. One of the most fascinating things about watching the evolution of Twitter as a platform is the tension between its desire to be a tool for free speech around social issues — a kind of engine that empowers citizen journalists — and the pressure to be a business. Is the service really the “free-speech wing of the free-speech party,” as its executives are fond of saying, or is it just another advertising platform whose primary motivation is boosting its share price? The latest incident to highlight this tension is Twitter’s blocking of a number of accounts that preserve the tweets of politicians, as a way of tracking their public statements about social issues. Twitter first blocked the U.S.-based account @Politwoops in June, and now it has blocked a number of other similar accounts in different countries that were run by the Open State Foundation, a non-profit group that promotes transparency through open data. “Twitter’s decision to pull the plug on Politwoops is a reminder of how the Internet isn’t truly a public square. Our shared conversations are increasingly taking place in privately owned and managed walled gardens, which means that the politics that occur in such conversations are subject to private rules.” [fortune.com] See also: [Download a free messaging app that protects your privacy] [Global think tank calls for global digital privacy] [People are freaking out over a feature in Windows 10’s family accounts] [What’s up with ‘dox’? The troubling history of an online scare tactic] [Lessons From a Tragic Kidnapping in Germany]

Finance

US – SEC Won’t Penalize Target for Breach

The Securities and Exchange Commission (SEC) has decided not to penalize Target for its 2013 cyber-attack, which resulted in the exposure of millions of customers’ data. The SEC was one of several government entities investigating the company following the breach, the report states. In Target’s quarterly results document, which was filed with the SEC and published online for Target’s investors, the company said the SEC’s investigation had ended and that it “does not intend to recommend an enforcement action against us.” State attorneys general and private litigators continue to investigate, which may result in penalties or settlements, the report states. [StarTribune]

US – Bank Lawyers Displeased With Visa-Target Deal

While Visa and Target announced a deal last week to compensate card issuers with up to $67 million, lawyers for a slew of banks and credit unions seeking class-action status say it’s not enough “for costs incurred in reissuing cards and reimbursing customers for fraudulent charges.” With a deadline to participate in the Visa-Target deal set for September 4, banks and credit unions must decide whether to take that money or to forgo it in favor of the potential class-action, a certification hearing for which is scheduled for just six days later. Plaintiffs’ lawyers “strongly recommend that financial institutions not accept the optional alternative recovery offers.” [National Law Journal]

US – Visa, Target Reach $67M Agreement

Visa says it has reached an agreement with Target to reimburse card issuers up to as much as $67 million for costs related to the retailer’s 2013 data breach. The agreement is more than three times the amount of a prior settlement proposed with MasterCard that did not gain enough support from the financial institutions involved, the report states. In April, the financial institutions challenged the proposed $19 million data breach settlement with MasterCard, filing a motion to void it. Settlement negotiations with Visa were ongoing at that time. “Visa has worked to help Target reach a resolution for the expenses incurred by financial institutions as a result of the 2013 compromise,” a Visa spokesperson said, adding, “This agreement attempts to put this event behind us.”  [Reuters]

WW – AM Hackers Speak Out; Class-Action Seeks $578M

The latest Ashley Madison news includes more class-action developments and an interview with the hackers behind the breach. “Will The Impact Team be hacking any other sites in the future? If so, what targets or sort of targets do you have in mind?” “Not just sites. Any companies that make 100s of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians. If we do, it will be a long time, but it will be total,” The Impact Team responds in an email. Meanwhile, a class-action suit filed “on behalf of Canadians who subscribed” to the site seeks $578 million,StarTribune reports, and Ars Technica reports a New York-based firm is seeking Ashley Madison users in the U.S. to join a prospective privacy and consumer fraud suit. Meanwhile, a CSO op-ed highlights different strategies for companies to stay safe from “cyber extortion.” [Motherboard]

FOI

WW – Sunshine Laws and Privacy vs. Transparency

Legislation requiring business “to record their beneficial owners in a public central registry maintained by the government” is a step toward healthy transparency, Alexandra Wrage writes. “Elsewhere in the world, owners of private companies can continue to keep that information hidden from public view,” Wrage notes, adding, “While many argue that this is a fundamental principle of financial privacy, it has also permitted extreme abuses by criminals and kleptocrats.” Wrage adds that “in spite of privacy concerns, many in the business world support the new requirements” and that “sunshine laws make it easier for companies to conduct due diligence on their partners.” [Forbes]

Genetics

IN – DNA Bill Questioned; Litigation Filed

The Indian Ministry of Science& Technology’s Department of Biotechnology posted its Human DNA Profiling Bill for public feedback through August 20. The report cautions among omissions in the current draft, “the Group of Experts’ privacy recommendations are also still missing.” According to the report, the bill does not include such privacy safeguards as distinguishing when DNA can be collected without consent and providing an explicit guarantee that DNA will not be used for purposes other than those for which it was collected. Meanwhile, The Times of India reports an individual has filed a public interest litigation with the Bombay High Court over Mumbai police’s hotel raids, alleging a right-to-privacy violation. [Wire]

Health / Medical

EU – Dutch Patient Privacy Concerns Persist

A bill being prepared by Dutch Health Minister Edith Schippers is raising concerns. “The government plans to loosen rules on patient privacy by requiring doctors in some cases to work with official agencies probing disability fraud,” the report states, noting the legislation “could clash with the EU’s schedule for implementing regulation to boost patient data protection, which starts to get under way in September.” Meanwhile, IT Pro Portal sums up six tips for moving healthcare services to the cloud in the UK, and the NHS England and the UK government need “to face privacy and security risks head-on” as patients’ privacy concerns “stand in the way of great health research and public service efficiencies.” [Politico]

US – Study: Health Industry Biggest User of Shadow Data

A study from cloud provider Elastica has found the healthcare industry is the biggest culprit for shadow data use. Elastica defines shadow data as “all potentially risky data exposures lurking in sanctioned cloud apps, due to lack of knowledge of the type of data being uploaded and how it is being shared,” the report states. Healthcare companies have many violations “because of the complexity of relationships in the industry, which include physicians, hospitals, clinics, patients, employees, contractors and insurers, among others. Consequently, there are more potential areas of data leakage than in other industries,” the report states, noting Elastica “found millions of files at risk for direct compliance violations, possible intellectual property leaks or generally risky exposures.” [HealthData Management] [Why cloud security is your next big, expensive, headache]

UK – CHIME Contest to Award $1M for NPI Solution

In an effort to move forward with plans for a national patient identifier (NPI), the College of Health Information Management Executives (CHIME) is launching a contest—and offering $1 million for the best NPI proposal. Historically, the idea of an NPI has been controversial, but supporters “say it is crucial to ensuring patient safety and to enabling healthcare organizations to exchange electronic patient data,” the report states. CHIME’s Keith Fraidenburg has emphasized the winning NPI “must protect privacy and security,” the report states, noting, “Whatever CHIME comes up with, privacy defenders are sure to fight back” due to concerns an NPI will make “records more vulnerable to theft and misappropriation.” The contest kicks off this fall, with a winner announced in 2016. [CIO] [US: National patient identifier struggles for life]

Horror Stories

US – Breach Worse Than First Believed

The Internal Revenue Service (IRS) has announced hackers “potentially accessed tax information for a total of 338,000 taxpayers—triple the amount feared when the breach was first disclosed in May.” Originally, the IRS believed the hack had exposed information on 114,000 taxpayers, the report states. “As part of the IRS’s continued efforts to protect taxpayer data, the IRS conducted a deeper analysis over a wider time period covering the 2015 filing season, analyzing more than 23 million uses of the Get Transcript system,” the IRS said in a statement, noting it is “moving aggressively to protect taxpayers whose account information may have been accessed.” [NBC News]

US – Breach of IRS Site Indicates Troubling Lack of Security

The IRS 2015 breach, in which hackers utilized weak elements of the agency’s website to steal nearly 334,000 personal records, was easy to do based on previous breaches and sub-par IRS cybersecurity measures. “Just knowing a person’s address, which you can get from one of these more traditional breaches, you can discover a lot about a person,” said the University of Michigan Kevin Fu. This easy access to information coupled with weak internal programs, some of which “have been running for 50 years,” according to John Koskine, IRS commissioner, makes it a “difficult challenge competing with organized criminals who have resources.” [Quartz]

WW – Hackers Finally Post Stolen Ashley Madison Data

Hackers who stole sensitive customer information from the cheating site AshleyMadison.com appear to have made good on their threat to post the data online. A data dump, 9.7 gigabytes in size, was posted to the dark web using an Onion address accessible only through the Tor browser. The files appear to include account details and log-ins for some 32 million users of the social networking site, touted as the premier site for married individuals seeking partners for affairs. Seven years worth of credit card and other payment transaction details are also part of the dump, going back to 2007. The data, which amounts to millions of payment transactions, includes names, street address, email address and amount paid, but not credit card numbers; instead it includes four digits for each transaction that may be the last four digits of the credit card or simply a transaction ID unique to each charge. AshleyMadison.com claimed to have nearly 40 million users at the time of the breach about a month ago, all apparently in the market for clandestine hookups. [Wired Magazine] [The AshleyMadison Leak and Why We Shouldn’t Buy Into It] [Ashley Madison hack includes hundreds of gov’t email addresses] [Ottawa man files lawsuit against Ashley Madison citing privacy breach] [Cyber-Posse Aims to Round Up Ashley Madison Hackers] [How one woman discovered she had an Ashley Madison account]

JP – JPS Needs Cybersecurity Updates Post-Hack

The Japan Pension Service’s (JPS) handing of a May targeted attack that affected 1.25 million records illustrates a “sloppy information management (that) must be corrected urgently.” “A sweeping organizational reform is called for, in addition to the bolstering of information management systems,” the report continues, noting a similar attack occurred in April. The report calls for efforts “to ensure that a recurrence of similar incidents is robustly prevented” and to restore confidence in the JPS. Cybersecurity reform is especially important, the report states, as cyber-attacks “are becoming more ingenious and shrewd.” [The Japan Times]

WW – Ashley Madison Leak Fallout Continues

Reaction to the massive leak of personal information from Ashley Madison continues, Kashmir Hill writes. Several websites have emerged that allow users to sift through the data, including a site in which a user can plug in an email address to see if it is affiliated with Ashley Madison. In the first 24 hours, https://ashley.cynic.al/ received more than 300,000 visits with more than one million searches. Hill writes, “The ease of checking the Ashley Madison database for a match raises a much tougher ethical question: Even if you can check to see who was using Ashley Madison, should you?” Business Insider shares an interview it conducted with the CEO of Avid Life Media, the parent company of Ashley Madison, before the hack. Meanwhile, New Zealand Privacy Commissioner John Edwards has said that “not a lot” can be done to remove the information that was stolen from AM, Stuff.co.nz reports. [Fusion]

WW – Ashley Madison Suit Filed

Amidst hackers’ exposure of more information from infidelity site Ashley Madison, Toronto lawyers have filed a class-action notice in Superior Court. The “Impact Team, the ‘hacktivist’ group who released 10 gigabytes of customer data earlier this week, dropped another 20 gigabytes of data, including emails from the inbox of company CEO,” the report states. “It seems massive in some respects, but for us, it’s a classic privacy breach case,” said Ted Charney, one of the attorneys working on the suit. The corporations that run Ashley Madison are listed in the suit, but the hackers are not, the report states. [Toronto Sun]

WW – The Ashley Madison Class-Actions Begin

Amidst the exposure of more information from infidelity site Ashley Madison, class-action suits now follow in the U.S. and Canada. The Canadian suit names the corporations that run Ashley Madison but not the hackers, while an Oklahoma firm “appears to be seeking out plaintiffs.” Lawsuits filed over the hack will be challenging, noting, “Those who take legal action will likely out themselves as one of the notorious website’s purported 39 million members. And just like with any ordinary data breach, they would have to prove they were harmed in some way in order to collect damages.” Meanwhile, Glenn Greenwald likens reactions to the Ashley Madison hack to Hawthorne’s The Scarlet Letter. [NBC News]

WW – Avid Life Media Offering $500K for Ashley Madison Hackers

Information regarding the specific identities behind the Ashley Madison hack is worth $500,000, Toronto police said on behalf of Avid Life Media, the organization that runs the hacked site. The announcement comes on the heels of an alleged dual suicide of two Ashley Madison leak victims. “This hack is one of the largest data breaches in the world,” said the Toronto police’s Bryce Evans. “The social impact behind this leak, we’re talking about families; we’re talking about children … It’s going to have impacts on their lives.” He said he hopes those “who no doubt have information that could assist this investigation … do the right thing.” Meanwhile, the Office of the Australian Information Commissioner has opened an investigation into the breach. [Tech Crunch]

WW – Breach Affects 93,000 Web.com Users

93,000 Web.com users’ credit card information was compromised in a breach discovered on August 13. The company discovered the breach during routine security checks. Web.com has set up an FAQ page for its customers addressing issues including why it took the company five days to notify users of the breach and what its users should do now. “You should keep a close eye for any suspicious or unusual activity on any credit/debit cards that you may have used with Web.com,” the FAQ states, adding customers should also monitor their credit reports. The company is also offering a year of free credit monitoring, the report states. [Naked Security] [UK: Data breach by holiday firm Thomson exposes hundreds of passengers]

US – DoE Publishes Draft Medical Records Guide

The Department of Education (DoE) has published draft guidance for colleges to best navigate the use of student medical records while respecting privacy. The guidance was catalyzed by the recent University of Oregon suit in which the plaintiff argued the school violated her privacy by accessing her mental health records for use in a rape case. “We want to set the expectation that, with respect to litigation between institutions of higher education and students, institutions generally should not share student medical records with school attorneys or courts, without a court order or written consent,” said DoE CPO Kathleen Styles. The guidance is open for comments until October 2. [Inside Higher Ed]

Identity Issues

In – UID Concerns Persist

“If I had a rupee for every time someone tried the ‘If you have nothing to hide, you have nothing to fear’ argument on me, I could have funded a privacy think tank devoted to debunking it,” Malavika Jayaram writes. Jayaram discusses the plan for a universal identifier or Aadhar cards, contending that with Aadhar, “Privacy is breached at several levels,” including when data is collected, when it is stored and when it is used. “All of this is compounded by the lack of a statutory frame for the Unique Identification Authority of India and/or a dedicated privacy law,” Jayaram writes, noting that while the attorney general has stated “there is no privacy violation if the data is not shared, this fails to acknowledge the very complex network of transactions and uses that the scheme is predicated on.” [Scroll]

US – Cross: Real-Name Policy Doesn’t Curb Harassment

Sociologist Katherine Cross argues that real-name policies implemented by several social networks and online communities will not stop cyber harassment. “The anti-anonymity lobby is being led by very large companies that have built both a business model and an ideology around forcing us to have a specific set of identities we bring to the Internet,” Cross said. “It’s being dressed up as a solution to abuse, but it is not … anonymity does not cause harassment—it does play a role, but it is much more complicated than most people make it out to be.” Cross added, “If we continue down this path of blaming anonymity, we will never tackle the causes of online harassment.” [Wired]

US – Woman Pleads Guilty to $7.5 Million Identity-Theft Scheme

A Phenix City woman pleaded guilty in Montgomery to conspiracy and aggravated identity theft involving a $7.5 million identity-theft refund fraud. Talashia Hinton pleaded guilty in U.S. District Court to using information stolen from state of Alabama databases maintained by the state of Alabama to file false tax returns and steal millions from the government. The indictment contends that Hinton worked with co-conspirators to file more than 3,000 false tax returns for 2012 and 2013, claiming more than $7.5 million in federal income tax refunds from the Internal Revenue Service. [The Montgomery Advertiser] [Internet company Web.com hit by credit card breach]

Internet / WWW

UN – Privacy Chief Calls for Internet Geneva Convention

Joseph Cannataci, the UN’s first special rapporteur on the right to privacy, believes “the world needs a Geneva convention style law for the Internet to safeguard data and combat the threat of massive clandestine digital surveillance,” The Guardian reports. Describing the current state of the world as worse than George Orwell’s 1984, he notes, “Orwell foresaw a technology that was controlling. In our case we are looking at a technology that is ever-developing, and ever-developing possibly more sinister capabilities.” Meanwhile, InfoSecurity reports the UN Diplomatic Council (DC) is criticizing Internet providers’ failure to protect customers’ digital information. “There is an urgent need to bring about a harmonization via the UN, which guarantees the people all over the world a digital privacy,” said the DC’s Dorian Hartmuth. [The Guardian]

Law Enforcement

US – License Plate Reader Controversy at Forefront After Wednesday’s Killings

After Virginia State Police used an automatic license-plate reader (ALPR) to spot Vester Lee Flanagan fleeing the scene after shooting to death two journalists, the debate over ALPRs has come to the forefront. While organizations like the Electronic Frontier Foundation (EFF) and the ACLU have spoken out against the devices for the privacy implications for ordinary citizens, police departments say they’re a critical tool in controlling crime. Jennifer Lynch, senior staff attorney at the EFF said while ALPRs may be useful “in an extreme scenario like this one, that shouldn’t mean the police can indiscriminately keep data for an extended period of time on all other cars in the area.” [SC Magazine]

US – San Jose Looks at Using Garbage Haulers to Catch Car Thieves

San Jose Mayor Sam Liccardo and Councilmen Johnny Khamis and Raul Peralez have proposed that the city consider strapping license plate readers to the front of garbage trucks, allowing them to record the plates of every car along their routes. The data would be fed directly to the Police Department from the privately operated trash trucks, prompting an officer to respond to stolen vehicles or cars involved with serious crime. “We can cover every street at least once a week and possibly deter thieves from coming into our city,” Khamis said. A committee chaired by Liccardo that sets the council’s agenda voted to continue exploring the idea. Khamis said action is only the first step in a long process. The proposal calls for city officials to explore the “feasibility, legality and civil liberties implications” of garbage-truck mounted license plate readers. Questions the council members asked the city to consider include the process of transferring license data from the private garbage trucks to the police, whether they would be subjected to the same or different policies governing police car license readers and whether other cities have taken similar measures and how they worked. “We’ll look at privacy concerns and talk to ACLU before we do anything,” Khamis said. [San Jose Mercury News] [Beaconsfield garbage truck cameras an invasion of privacy, residents say] [US: Privacy Questioned as Firefighters Embrace Helmet Cameras]\

CA – Ontario Police Records Check Changes on the Docket

When the Ontario Legislature resumes its sitting in September, it will be looking at the Police Record Checks Reform Act 2015, which would limit the types of information disclosed in response to records check requests and bring greater uniformity to records checks. Timothy Banks examines “what a police records check will include and what it won’t when you request a police records check on a current or prospective employee or volunteer.” The bill has broad support and “is a direct response to concerns about the practice of releasing non-conviction information and mental health information as part of criminal record checks,” reports Banks. [Privacy Tracker]

US – Police Data Now Has Six-Month Shelf Life

In California, the Oakland Police Department has announced that it will now store license-plate reader data for six months, a new policy catalyzed by its server system consistently crashing due to the large amounts of information it was required to retain. “Looking back at a year doesn’t help you solve a case,” said Oakland Sgt. Dave Burke. “There is no plan to store the data beyond six months. The investigators are not looking for data beyond six months. It does us no good to have these datasets if we do not mine them for intelligence.” [Ars Technica]

US – City Attorney: MeetMe Creators Going Beyond Settlement

MeetMe, Inc., has agreed to a $200,000 settlement with the City of San Francisco following a lawsuit regarding its privacy policy and how its popular MeetMe mobile app potentially endangers minors who utilize the program. “Company officials thoughtfully and responsibly considered the violations we alleged under California law, and ultimately aspired to remedies even beyond those we sought,” said San Francisco City Attorney Dennis Herrera. The company pledged to “simplify its privacy terms by drafting a new policy written at a ninth-grade reading level, displaying all privacy settings on one screen and providing regular ‘privacy check-ups’ to apprise users of their settings and explain how to modify their choices,” the report states. [The Recorder]

US – First State Legalizes Taser Drones for Cops

It is now legal for law enforcement in North Dakota to fly drones armed with everything from Tasers to tear gas thanks to a last-minute push by a pro-police lobbyist. With all the concern over the militarization of police in the past year, no one noticed that the state became the first in the union to allow police to equip drones with “less than lethal” weapons. House Bill 1328 wasn’t drafted that way. The bill’s stated intent was to require police to obtain a search warrant from a judge in order to use a drone to search for criminal evidence. In fact, the original draft of Rep. Rick Becker’s bill would have banned all weapons on police drones. Then Bruce Burkett of North Dakota Peace Officer’s Association was allowed by the state house committee to amend HB 1328 and limit the prohibition only to lethal weapons. “Less than lethal” weapons like rubber bullets, pepper spray, tear gas, sound cannons, and Tasers are therefore permitted on police drones. Becker, the bill’s Republican sponsor, said he had to live with it. [The Daily Beast] [Will we pick privacy over drone-drops from Amazon? ]

Offshore

NZ – Immigration NZ in Breach of Privacy Act

Immigration New Zealand has been found to have breached an immigrant’s privacy by refusing to correct his date of birth. The man from Ethiopia had no record of his birth, and arrived in New Zealand with incorrect information on his travel documents. Two years later he underwent a bone density scan and dental examination to clarify his age, which indicated he was possibly as old as 18 at the time. The man asked Immigration New Zealand to change his year of birth to 1996, but it refused and added a note to his file instead. Privacy Commissioner John Edwards has referred the case to the Director of Human Rights Proceedings. He said the incorrect date restricted the man from accessing a number of entitlements, including a driver’s licence and the adult minimum wage. But a spokesperson from Immigration said if the man’s passport showed his birth year as early 2000, the document itself needed to be altered or replaced, and there were important identity issues at stake. [radionz.co.nz]

Online Privacy

RU – Complaints Filed Over Windows 10

The Prosecutor General’s Office received another round of complaints regarding Windows 10, this time from Moscow law firm Bubnov and Partners, alleging the system allegedly reaps user data without consent—a potential breach of Russian privacy statues. “The new operating system offers users the choice of how they want it to handle their data, and users can change the settings at any point,” Microsoft said in response. The Russian Association for Electronic Communications corroborated the company’s claim in a statement, including information for concerned customers to change their settings. [The Moscow Times] See also [NZ Privacy Commissioner watching Microsoft on Windows 10]

WW – Study Finds Zombie Cookie Use to Be an Undead Practice

In a recent study, consumer advocacy organization Access discovered via its site AmiBeingTracked.com that, after use was thought to have died down, 15% of wireless users are still falling prey to “zombie cookies” that permit carriers like Verizon and AT&T to “to ignore a user’s privacy preferences on the browser level and track all online behavior,” Wireless reports. “Using tracking headers also raises concerns related to data retention,” the study states. “When ‘honey pots’ of sensitive information, such as data on browsing, location and phone numbers, are collected and stored, they attract malicious hacking and government surveillance. This kind of collection and retention of user data is unsustainable and unwise, and creates unmanageable risks for businesses and customers alike.” [Full Story]

WPF Launches Campaign to Opt Kids Out of Data-Sharing

The World Privacy Forum (WPF) has launched an #OptOutKids campaign that encourages parents and students to opt out of allowing schools to share their data. “Most parents are unaware that schools can compromise their children’s privacy and possibly their safety by sharing private information like their child’s phone number, home address, date of birth, GPA, email and photos with anyone without consent,” WPF states in its announcement. Most schools, however, have a brief window for opt outs, according to WPF Executive Director Pam Dixon, and the beginning of the school year is the time. Parents should opt their children out, Dixon said, because schools sending detailed data on children to unknown third parties can be “a risk for identity theft and worse.” [Full Story]

WW – Twitter Decides Politicians’ Tweets Need Forgetting

Mathew Ingram writes about Twitter’s decision to block users like @Politwoops, which used Twitter’s API to document and track Twitter statements of politicians, archiving them even after they’d been deleted. Twitter’s position is that politicians are just like any users, and it would be chilling for users to think they could never erase a statement made on Twitter. However, argues Ingram, “there’s a clear social value in having tweets about important political topics preserved, in the same way that there’s a social value in recording off-the-cuff remarks made by politicians at meet-and-greet events.” Does this decision and the likes of the UK Information Commissioner’s Office position that links to stories about RTBF removals need to be removed indicate a chilling for free speech? [FORTUNE]

UK – ICO Wants Links to Stories About RTBF Requests Removed

Since the EU’s embrace of the right to be forgotten, reports citing specific examples of story-removal requests have begun spurring interest in the stories set to be removed. As such, the UK Information Commissioner’s Office has requested Google take down links to those article-removal-request stories as well. The move “could provide an example for other countries, potentially provoking a new wave of takedown requests of stories about takedown requests and a subsequent wave of stories about those new requests,” the report states, adding, “That will also give ammunition to both free speech advocates and privacy activists in their tussle over where to draw the line between privacy and the public’s right to know.” [The Wall Street Journal]

WW – Torrent Sites Block Windows 10; Apple Criticized

Since Windows 10 launched, there’s been no shortage of privacy concerns voiced. Now, torrent sites are beginning to put measures in place to block Windows 10 users from accessing them. “The concern is spreading like a virus,” noting the concerns are largely the result of paranoia. The Australian tested Windows 10’s new facial recognition featureand found the software “able to maintain privacy even when dealing with identical twins.” Meanwhile, Theo Priestley criticizes Apple’s use of data, saying the company is “still very much self-serving for the sake of looking consumer friendly.” [BetaNews] [TORRENT TRACKERS BAN WINDOWS 10 OVER PRIVACY CONCERNS] [Apple Privacy May Not Be As Private As You Think]

WW – Spotify Clarifies Privacy Policy

Spotify unveiled a new privacy policy that proved to be controversial. The new policy explained how Spotify plans to use personal information to enhance its features and would do so by collecting information about users’ location, contacts and photos, among other data. The changes prompted Norway’s data protection authority to criticize the company, and Minecraft creator Markus Persson to say he’d cancel his subscription. But the day after unveiling the new policy, Spotify CEO Daniel Ek clarified that Spotify would seek express permission from users before accessing any of the data and would only use it for the specific purposes for which it was collected, Wired reports. Some say the incident illustrates the dangers of poor messaging, not poor policies. [Full Story] [Location, Sensors, Voice, Photos?! Spotify Just Got Real Creepy With The Data It Collects On You] [Spotify’s chief executive apologises after user backlash over new privacy policy]

WW – Is the Media Overreacting to Spotify’s New Privacy Policy?

Media reports emerged calling Spotify’s new privacy policy creepy and an “eerie“ agreement “you can’t do squat about,” but Tom Warren points out such analysis is an overreaction and spreads “FUD”—fear, uncertainty and doubt. Critics have pointed out that Spotify wants to collect photos, contacts or media files from mobile devices, but Warren notes that those critics are failing to point out that the privacy policy states, “[w]ith your permission” first. “Instead of spreading FUD … a reasonable debate around smarter and more transparent terms of use or even why all these apps constantly need this data would be a way to hold Spotify and many other companies to account.” [The Verge]

WW – Facebook Privacy Policies Progressively Problematic?

A study by two Harvard students indicates Facebook’s privacy policies have shown a “stark” and steady decline since a major 2009 privacy overhaul. Jennifer Shore’s and Jill Steinman’s research indicates that Facebook “doesn’t seem especially responsive to pressure either from advocacy groups or regulators,” the column continues, noting their findings indicate the company’s “standards for privacy drop in 22 of the 33 areas that they study.” Meanwhile, the Harvard student who lost his Facebook internship after developing a “Marauder’s Map” function using site data tells GeekWire he’s “happy with the way things turned out.” [Washington Post] [Facebook’s Threat Intelligence Sharing Potential: Data management, scale, and algorithmic strengths may give Facebook an advantage in threat intelligence sharing]

Other Jurisdictions

AU – Pilgrim Reappointed as Privacy Commissioner

Privacy Commissioner Timothy Pilgrim has been reappointed for another year, with his next term to begin in October. Australian Attorney-General George Brandis, who reappointed Pilgrim, praised his “good working relationship” with businesses as well as government agencies and consumer groups and his work “building awareness of privacy rights and obligations.” Pilgrim has served as privacy commissioner for five years, working in that capacity from July 2010 until July of this year, and then adding “the three-month role of acting information commissioner to his portfolio last month,” the report states, noting Pilgrim also served previously as deputy privacy commissioner from 1998 until 2010. [ZDNet]

IN – Prime Minister to Promote Digital India Campaign This Week

Prime Minister Narendra Modi will this week visit Silicon Valley to promote his “Digital India” campaign. But privacy advocates are speaking up ahead of Modi’s arrival. Approximately 137 academics, the majority being of Indian-origin, signed a statement saying Digital India seems to ignore how data is treated and how it might fuel repressive surveillance programs. “We are concerned that the project’s potential for increased transparency in bureaucratic dealings with people is threatened by its lack of safeguards about privacy information, and thus its potential for abuse,” the statement reads. [The Economic Times]

WW – Other Privacy News

Privacy (US)

US – FTC Settles With 13 Companies for False Safe Harbor Claims

The U.S. FTC announced it has settled with 13 companies on charges “they misled consumers by claiming they were certified members of the U.S.-EU or U.S.-Swiss Safe Harbor frameworks when their certifications lapsed or the companies had never applied for membership in the program at all.” The companies include a data broker, IT forensics firm, medical waste solution provider—even Dale Jarrett Racing Adventure. Under the settlement, the companies are “prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or other self-regulatory or standard-setting organization.” Meanwhile, the FTC awarded a $25,000 cash prize to the makers of RoboKiller, a mobile app that “blocks and forwards robocalls to a crowd-sourced honeypot.” Other prizes were awarded as well as part of the National Day of Civic Hacking in June. [Full Story]

US – FTC Announces “Start with Security” Agenda

The FTC has unveiled the agenda for its “Start with Security” conference on September 9 in San Francisco, CA. “Aimed at start-ups and developers,” the FTC press release explains, “this event will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development and vulnerability response.” Cosponsored by the University of California Hastings College of the Law, conference panelists include a wide array of chief information security officers, engineers, chief technology officers and product managers from several organizations, including Google, Yahoo, Mozilla, Pinterest, Twitter, SANS Institute, OWASP Mobile Top Ten, Fastly, Dropbox, Duo Security, HackerOne, Contrast Security and Signal Sciences. [Full Story]

US – FTC Announces New Event, PrivacyCon

In order to best ensure solid consumer privacy policy while concurrently encouraging technological innovation, the FTC needs greater input from technologists, FTC Chairwoman Edith Ramirez announced a new event this January. “We hear frequently from industry groups, consumer advocates and government colleagues about policy issues,” Ramirez says. “We also hear from technologists, but not as much as we’d like-we need more of them to weigh in on these important issues.” An easy way to do that, she explains, is contributing technological and privacy-related research to the FTC’s first-ever PrivacyCon , “which aims to bring together leading privacy and security researchers with policymakers to present and discuss their latest findings” in Washington, D.C. [Ars Technica]

US – Suits Filed Against IRS, MIE

Two Texas women filed lawsuits last week in Washington, DC, complaining the “U.S. government cannot be relied upon to keep the personal data of its citizens safe.” The suits follow the Internal Revenue Service’s (IRS) data breach in which hackers gained access to PII belonging to at least 330,000 people. California firm McCuneWright also filed a class-action complaint Thursday against the IRS. Meanwhile, Medical Informatics Engineering faces an additional three federal lawsuits over its recent breach, bringing the grand total to six, The Journal Gazette reports. [Bloomberg]

US – Delaware Reader Privacy Law Takes Effect January 1

On January 1, 2016, a new law will go into effect in Delaware that requires all book service providers with online sales exceeding two percent of their gross sales to protect the privacy of customer information. The Delaware Online Privacy and Protection Act will not affect most independent booksellers because it applies only to companies that sell a lot of books online, the report states. And unlike reader privacy laws in California and New Jersey, it does not affect brick-and-mortar stores. The Delaware law does not impose penalties but does allow that a company could be the target of a civil suit for breach of privacy. [American Booksellers Association]

US – Corporation Commission to Investigate Data-Sharing Complaint

The Kansas Corporation Commission (KCC) plans to investigate a complaint alleging Westar Energy violated customers’ privacy. Westar partnered with Home Serve USA in October to give customers the option to buy coverage for electric infrastructure around their homes not covered by the utility. But one Emporia resident filed a complaint with the KCC alleging Westar violated its privacy policy by giving her information to Home Serve, claiming she’s received junk mail from Home Serve. Gina Penzig, spokeswoman for Westar, said the utility’s privacy policy allows it to share customers’ contact information with “well-vetted partners” like Home Serve. [The Hutchinson News]

US – Ex-Prez Bush, Cheney Sued for Email, Phone Spying During Olympics

Ex-US president George W Bush, former Vice President Dick Cheney, and senior law enforcement officials have been named in a class-action lawsuit for authorizing blanket phone, email, and text message surveillance of Utah citizens during the 2002 Winter Olympics. In 2013 the Wall Street Journal reported that the FBI and NSA had done a deal with telco Qwest Communications for blanket surveillance coverage for Salt Lake City during the Winter Olympics. Then-mayor Ross “Rocky” Anderson has now taken up the case and has filed the class action suit. “This is the first time anyone knows of that a surveillance cone has been placed over a specific geographical area in the United States,” he said. “What was so alarming was that they were reading the contents of the text messages and emails.” Anderson served two consecutive terms as mayor between 2000 and 2008. There are currently six plaintiffs, including Utah State Senator Howard Stephenson (R-Draper), former Salt Lake City Council member Deeda Seed, and local historian Will Bagley. In addition to the presidential duo, the suit names former NSA Director Michael Hayden and Cheney’s attorney David Addington, who authorized the surveillance. [The Register]

US – Comcast Names Web Subscriber Whose Account Was Used to Insinuate a Politician Molested Children

Comcast Cable Communications has given a northern Illinois politician the identity of an Internet service subscriber whose account was used to post an anonymous comment online suggesting the politician molests children. That customer is being named as defendant in a lawsuit in the case, which arises from comments made online anonymously. Illinois courts have ruled an account holder’s privacy isn’t protected in such matters. Comcast turned over the name of the subscriber on Aug. 14, attorney Andrew Smith said, almost two months after the Illinois Supreme Court upheld lower court rulings that Internet service providers have no obligation to withhold the identity of a commenter if their comments could be considered defamatory. The U.S. Supreme Court declined to take up the case, which has played out in an environment of increasing concern about potentially damaging online comments made by anonymous Internet users. Experts generally agree that Internet commenters should know their identity won’t be protected if their comments cross the line into defamation. [Associated Press]

US – OPM Sued Again … This Time by a Judge

The U. S. Office of Personnel Management has been hit with yet another lawsuit related to its alleged cybersecurity and privacy failings, and the role they played in the massive breach that exposed background-check information that the agency was storing for 21.5 million people. But unlike the three other lawsuits already filed against OPM, this one differs in part because the plaintiff is a judge. Teresa J. McGarry, who works as an administrative law judge for the Social Security Administration, filed her lawsuit earlier this month against OPM, the U.S. Department of Homeland Security, as well as KeyPoint Government Solutions, which is the largest provider of background-check services for the U.S. government. McGarry’s lawsuit, which seeks class-action status, alleges that OPM failed in its duty to maintain and safeguard the data that was in its care – including background-check forms containing extensive personal information from applicants, as well as copies of applicants’ fingerprints – thus violating U.S. privacy laws, as well as government cybersecurity regulations. The suit seeks in part to make both OPM and KeyPoint take “reasonable steps” to implement and maintain a program to protect people’s personally identifiable information. It also seeks unspecified damages.

Einstein Called Out: The lawsuit also takes aim at DHS and, in particular, its administration of the so-called Einstein intrusion detection system (see Senate Committee Passes Bill Requiring Einstein Use). “The system was created to detect and prevent intruders from compromising the cybersecurity of federal governmental databases, including those housed at OPM and other governmental agencies,” the lawsuit says. “DHS failed as Einstein did not prevent intruders from breaching the OPM network and extracting sensitive files pertaining to millions of current, former and prospective federal employees and contractors.”

Four Lawsuits – And Counting: So far, the OPM breach has resulted in lawsuits being filed against the agency by two unions – the American Federation of Government Employees and the National Treasury Employees Union – on behalf of their members, as well as a $5 million lawsuit filed by breach victim Marcy C. Woo. She worked for the federal government for 28 years, and her suit alleges that top officials at the OPM knew about cybersecurity deficiencies, but failed to fix them. Woo’s lawsuit names OPM, as well as former director Archuleta, CIO Donna Seymour and KeyPoint. [Government Information Security]

US – FERPA Updates: It’s a No From the Internet Association

The Internet Association takes umbrage with proposed revisions to the Family Education Rights and Privacy Act (FERPA) via the Student Privacy Protections Act, arguing that the requirements are “too broad.” “As currently drafted, the data security and privacy provisions of the bill impose vague security requirements, including notice requirements triggered by a ‘breach of the security practices,’ which theoretically could include common employee errors such as failing to properly sign-in a visitor or failing to logout of a computer when going to get coffee for five minutes,” the organization said in a letter to the of the House Education and Workforce Committee. [The Hill]

US – Jeb Bush: Revisit USA PATRIOT Act Changes

Republican presidential candidate Jeb Bush said he found “no evidence” that USA PATRIOT Act surveillance measures were detrimental to American civil liberties, arguing that revisions to the act need to be reconsidered. “There’s a place to find common ground between personal civil liberties and NSA doing its job,” Bush said. “I think the balance has actually gone the wrong way.” He also called for greater corporate/government cooperation while taking aim at encryption efforts. “It makes it harder for the American government to do its job while protecting civil liberties to make sure evildoers aren’t in our midst,” he said. “Market share … should not be the be-all-end-all,” he added, advocating for “a new arrangement with Silicon Valley in this regard.” [Associated Press]

US – Court: MSU Required to Share Info

A Michigan Court of Appeals has ruled that Michigan State University (MSU) is legally obligated to disclose all personal details in public incident reports about its student athletes. After filing a September 2014 document request for an investigative piece, ESPN found that MSU “removed the names and identifying information about suspects, victims and witnesses,” the report states. ESPN successfully sued the school in February for the release of pertinent information, but MSU brought the matter back to court in an attempt to change the ruling. “The disclosure of the names of the student-athletes who were identified as suspects in the reports serves the public understanding of the operation of the university’s police department,” the Court of Appeals said. “The disclosure of the names is necessary to this purpose.” [ESPN]

US – Privacy News Roundup

US – Court Rules in Favor of NSA

Much to the chagrin of privacy advocates, the U.S. Court of Appeals for the District of Columbia Circuit Court ruled that the National Security Agency’s (NSA) collection of metadata under the USA Freedom Act could continue until the bill’s expiration in November, due to a “lack of sufficient grounds for the preliminary injunction.” Meanwhile, Andy Greenberg argues that suing the NSA is tricky because “someone has to prove that their privacy rights were infringed. And that proof is almost always a secret.” Regardless, plaintiff Larry Klayman plans on taking an appeal to the Supreme Court. “We are confident of prevailing,” he said. [Reuters] [Privacy Is a Human Right: Data Retention Violates That Right]

US – NSF, Intel Partnership Extends $6 Million in Research Grants

The National Science Foundation (NSF) and Intel have partnered to offer two new grants totaling $6 million for researchers aiming to find privacy and security solutions in the cyber-physical systems (CPS) underlying the Internet of Things. An NSF press release notes that a “key emphasis of these grants is to refine an understanding of the broader socioeconomic factors that influence CPS security and privacy.” Jim Kurose, who heads up the NSF’s Computer and Information Science and Engineering, said, “Rigorous interdisciplinary research, such as the projects announced today … can help to better understand and mitigate threats to our critical cyber-physical systems and secure the nation’s economy, public safety and overall well-being.” Intel’s Christopher Ramming said the company is “enthusiastic about this new model of partnership.” [Full Story]

Privacy Enhancing Technologies (PETs)

WW – Blackphone 2 Coming in September

Silent Circle’s privacy-focused Blackphone has a new iteration: Blackphone 2. “Thanks to the encryption and special software, all calls and texts made with the phone are secure from all the inquisitive eyes,” the report states. The phone employs Silent OS and Spaces, a program that permits “users and companies to create isolated operating system accounts that don’t interact with each other and therefore, remain more secure,” the report continues. Currently available for preorder, the device will be widely released in September. [TechWorm]

WW – Has the Time Come for Personal APIs?

Chris Middleton writes about a future where “a search company has used all of the personal data that’s spread across the Internet about me to patent the concept ‘Chris Middleton,’ and, as a result, I am now a person of no fixed identity languishing in prison for breach of copyright.” Consumers, he suggests, should protect themselves by creating personal application program interface (API) platforms. Personal APIs “could be a fascinating route ahead for consumers in the digital world,” he writes. Placing data behind personal APIs might give consumers the ability to force organizations and individuals “to engage with you on your terms,” he writes, giving consumers the power to withdraw their support from those that do not “match your own belief systems.” [diginomica]

RFID / IoT

WW – Companies to Collaborate for IoT Privacy

Microchip Technology has announced a collaboration with Intel to implement Intel Enhanced Privacy ID (EPID) technology. “Intel EPID is a sophisticated, proven approach to device authentication that provides both security and privacy for the on-ramp to the Internet of Things (IoT),” the report states. “Microchip has long recognized the importance of security in IoT applications,” said Microchip’s Ian Harris. “Collaborating with Intel to integrate its proven Intel EPID technology demonstrates Microchip’s steadfast commitment to providing the very best IoT solutions, by working to enable designers with the safe and secure interoperation of their ‘things’ with Intel’s devices, gateways and servers.” [StreetInsider.com]

JP – Police, Satellite Tracking Planned

By 2018, the Road Transport Department plans to apply a Radio Frequency Identification (RFID) device to vehicles across Malaysia. The aim of the RFID is to “allow real-time monitoring of traffic conditions and help police track down criminals,” the report states. “While this may raise privacy concerns … the use of RFID tech will herald a new era for vehicle security … and could be the answer to combat vehicle theft and cloned vehicle syndicates,” said Deputy Transport Minister Datuk Aziz Kaprawi. A “smart code” feature permits vehicle tracking by the authorities and satellites. [Paultan.org] [Somebody’s watching: Telematics for cars pits insurers against privacy advocates]

US – California Bill Seeks to Regulate Smart TVs

After discovering that “smart” TVs could record their owners’ conversations without consent, California Assemblyman Mike Gatto (D-Glendale) is championing AB116, which aims to mandate that smart TV users be “explicitly informed” their devices might record their conversations. The bill also “forbids TV manufacturers and related third parties from using or selling stored conversations for advertising purposes and would allow manufacturers to reject law enforcement efforts to use the feature to monitor conversations,” the report continues. While privacy advocates applaud the move, the Electronic Frontier Foundation’s Lee Tien points to room for improvement. “Notice is not consent,” Tien said. Smart TV-maker Samsung has indicated it supports the bill, the report states. [Associated Press]

Security

US – Pentagon Releases Cybersecurity Incident Reporting Rules

The Pentagon is rolling out long-awaited rules governing how the defense industry should report cybersecurity incidents. The regulations were published in the Federal Register on Wednesday. They require contractors and subcontractors to report “cyber incidents that result in an actual or potentially adverse effect” on either the contractor’s information system and data or its ability to provide “operationally critical support,” the report states. The rules aim to provide a single pathway for Defense Department contractors to report cyber incidents. [The Hill]

WW – Study: The Access of the Few Creates Risk for the Many

According to a new study by CloudLock, system administrators and those with heightened privileges at an organization that employs a cloud service are responsible for 75 percent of the risk, with hackers focusing in on those particular users for easy data access. “Cyber attacks today target your users—not your infrastructure,” said CloudLock CEO Gil Zimmermann. “As technology leaders wake up to this new reality, security programs are being reengineered to focus where true risk lies: with the user,” adding that “the best defense is to know what typical user behavior looks like—and, more importantly, what it doesn’t.” [The Washington Post] [Cars can be hacked by their tiny, plug-in insurance discount trackers]

US – Uber to Beef Up Security Team in Push to Strengthen Data Safety

Uber is to significantly expand its security team as it seeks to soothe worries about data privacy, defend against hackers and even protect its offices and employees from physical attack. The group, most recently valued at about $50bn, plans to end the year with more than 100 staff in its security team, an increase from about 25. [Financial Times]

Surveillance

WW – UK Surveillance ‘Worse Than Orwell’, Says UN Privacy Chief

Joseph Cannataci, the newly appointed UN special rapporteur on privacy has called the UK’s oversight of surveillance “a rather bad joke at its citizens’ expense,” describing the situation regarding privacy as “worse” than anything George Orwell imagined in his dystopian novel ‘1984’. Appointed after concern about surveillance and privacy following the Edward Snowden revelations, Cannataci agreed that his notion of a new universal law on surveillance could embarrass those who may not sign up to it, but for Cannataci – well-known for having a mind of his own – it is not America but Britain that he singles out as having the weakest oversight in the western world. Although Cannataci admits his job is a complex one that is not going to be solved with a magic bullet, he says he is far from starting from scratch and believes there are at least four main areas – including a universal law on surveillance, tackling the business models of the big tech corporations, defining privacy and raising awareness among the public. [Before Its News]

US – NSA and BfV Surveillance Exchange Revealed

The National Security Agency (NSA) and its German equivalent, the Office for the Protection of the Constitution (BfV), traded access to the U.S. Internet surveillance program XKeyscore for targeted surveillance information on German citizens. While former German Data Protection Commissioner Peter Schaar claimed that he “knew nothing about such an exchange deal,” an official memo obtained by Die Ziet-the outlet that broke the story-indicates that Germany pledged to “(u)tilize XKeyscore in a manner consistent with German law and in a manner reasonably likely not to result in the targeting of U.S. persons,” the report continues. [National Journal]

WW – Global Think Tank Calls for Global Digital Privacy

After an open hearing earlier this month aimed at formulating a group stance, the Diplomatic Council, a UN-registered global think tank, called for more transparency when it comes to government surveillance across the world. Attorney Thomas Lapp, chairman of the Global Information Security Forum of the Diplomatic Council, proposed worldwide stipulations on any judge who approved interception measures. He called for judges to be required to document each interception approved and provide annual reports that provide details on the outcomes of surveillance, including whether the activities led to convictions. Lapp feels the stipulations would influence authorities to better examine eavesdropping requests while making the process more transparency to the public. In addition, the Diplomatic Council is mulling global legislation to curb data collection by large internet corporations. Lapp contended that big companies circumvent the strict data protection laws of several countries. [SC Magazine]

WW – Companies Fight Back with “Warrant Canaries”

There are challenges of running privacy services—specifically the legal challenge of keeping promises to customers despite government pressure for access to data. To cope, companies have created “warrant canaries.” Companies publish transparency reports listing the number of “secret, gag-ordered surveillance warrants,” where they would list that number as zero. In the next report, if there’s been a secret warrant, the listing would be omitted. Users would notice this and stop using the service, the message to the government being: Serve us with a secret warrant, and everyone you want to spy on will stop using this service. “The idea of warrant canaries is not to voluntarily go out of business, it’s to make business-destroying secret warrants useless,” the report states. [The Guardian]

US – City Considers License-Plate Readers on Garbage Trucks

In San Jose, CA, the city’s mayor and one city councilman have put forward a new proposal that would allow sanitation vehicles—garbage trucks—to use license-plate readers to feed data automatically to city police. “We can cover every street at least once a week and possibly deter thieves from coming into our city,” said Councilman Johnny Khamis. If the proposal were to pass, the city would likely be the first in the country to expand license-plate readers beyond law enforcement to another public entity, the report states. Khamis said the city would consult with the ACLU over privacy concerns before moving forward. [Ars Technica]

US – Companies Fight Back with “Warrant Canaries”

There are challenges of running privacy services—specifically the legal challenge of keeping promises to customers despite government pressure for access to data. To cope, companies have created “warrant canaries.” Companies publish transparency reports listing the number of “secret, gag-ordered surveillance warrants,” where they would list that number as zero. In the next report, if there’s been a secret warrant, the listing would be omitted. Users would notice this and stop using the service, the message to the government being: Serve us with a secret warrant, and everyone you want to spy on will stop using this service. “The idea of warrant canaries is not to voluntarily go out of business, it’s to make business-destroying secret warrants useless,” the report states. [The Guardian] and [People are freaking out over a feature in Windows 10’s family accounts]

US – Firefighters’ Helmet-Mounted Video Cameras Controversial

One rescue squad in Maryland believes the use of helmet-mounted cameras is invaluable, as such video allowed firefighters to later determine what they could have done better to stay safe. But in a California case, helmet-camera video of a plane crash showed a survivor being accidentally run over, and San Francisco’s “fire chief later reminded staff that all cameras are banned without prior approval,” the report states. The International Association of Fire Fighters (IAFF) does not support helmet cameras. The IAFF’s Jim Brinkley explained national standards for the cameras’ use are in development but said “that’s a long process.” [CBS News]

WW – Study: Mobile Companies Using Supercookies Outside U.S.

A study by Access Now finds that while mobile wireless companies no longer employ “supercookies” in the U.S., some do so in other parts of the world. Supercookies, or “unique identifier headers,” are codes that permit surreptitious tracking of mobile web use. Access Now’s Deji Olukotun suggested the “use of supercookies outside the U.S. is potentially more invasive because many people use smartphones as their primary way to access the Internet,” the report states. Verizon said it offers an opt-out service to users. “Most users don’t even know what to opt out of,” said Jacob Hoffman-Andrews of the Electronic Frontier Foundation, adding, “This technology is so intrusive that opt-outs are not appropriate.” [The Wall Street Journal] [Anti-privacy unkillable super-cookies spreading around the world | Study]

Telecom / TV

US – New FCC Rules Could Change Telecom Business Models

The FCC is planning to develop new privacy rules for Internet providers this fall following its net neutrality decision earlier this year, and those rules “could have big implications for companies like AT&T, Verizon and Comcast.” “FCC Chairman Tom Wheeler has declined to say when the agency might formally launch a rule-making process,” the report states, noting that if the FCC approves its new privacy policies for Internet providers, it could “powerfully affect the industry’s business model.” For example, the FCC’s new rule could limit such practices as AT&T’s recently launched package allowing customers a discount if the company can track their web history. [The Washington Post]

WW – UN Contacting AT&T About Alleged U.S. Wiretapping

The United Nations (UN) has said it plans to contact AT&T following a report “it allowed the U.S. National Security Agency (NSA) to wiretap all Internet communications at UN headquarters.” A UN spokeswoman said U.S. officials had assured the UN “they are not … monitoring our communications” when past allegations were made. A piece in The New York Times indicated “AT&T provided technical assistance in carrying out a secret U.S. court order permitting the wiretapping of all Internet communications” at the UN’s New York headquarters, the report states. Meanwhile, AT&T’s and other telecoms’ ability to monitor consumers and making it “deliberately tough“ for them to opt out of marketing “and having their personal data shared.” [Associated Press]

AU – 60 Minutes Uncovers Huge Mobile Phone Security Vulnerabilities

It’s the dirty little secret that’s facilitating what’s being called the biggest breach of privacy ever. Government, security agencies and the telecommunications industry will be forced to explain a security hole that allows hackers to listen in to conversations and hijack Australians’ mobile phones after it’s exposed by a 60 Minutes investigation, the program claims. By tapping in to SS7, a signalling system in use by more than 800 telecommunication companies across the world including major Australian providers, hackers are able to listen in to conversations, steal information stored on mobile phones, and track the location of the phone’s user. The system has long been in use by spies and has been a secret of perpetrators of international espionage. It’s believed to be the very tactic used by Australian spies in tracking the phone calls of the wife of the Indonesian president. But recently, organised crime, commercial spies and potential terrorists have been exploiting this security loophole for their gain, 60 Minutes claims to have uncovered. [Source]

WW – Google Unveils Onhub, A Wi-Fi Router for The Smart-Home Era

The search giant’s newest device is a router Google hopes you’ll display proudly, and gives the company a beachhead for tech in your home too. The search giant unveiled the OnHub, a sleek new router that Google developed with the networking hardware company TP-Link. The $200 device is also meant to eventually help control all the other disparate Internet-connected devices in your home. The idea is this: Most Wi-Fi routers are ugly, with unruly cords, so people put them on the floor or out of the way where they can’t be seen. But that also causes the device to emit a weaker Wi-Fi signal, Google said. The company hopes the answer is making a better-looking device that people don’t mind displaying out in the open. It has subtle blinking lights and all its antennas are packed inside its black, cylindrical shell. The device also displays the Wi-Fi password if someone taps on it. [CNET]

WW – IAPP Launches First Privacy eBook

The IAPP has launched its first eBook, Introduction to IT Privacy: A Handbook for Technologists, which is now available from the Kindle bookstore on Amazon. “In an effort to provide our members access to privacy training content in the ways they find most useful, we decided to pursue offering our first eBook title for those privacy professionals who prefer to access this material digitally,” said IAPP Training Director Marla Berry.”We look forward to the response to this initial offering and anticipate we may be providing future texts to our members in this format as well.” The Privacy Advisor has all the details in this “Live from the IAPP” feature. [Full Story]

US Government Programs

EU – Sites Have Until September 30 To Meet Google’s User-Consent Requirements

It’s likely EU users have noticed an increase in the number of cookie notices they’re presented with while surfing the web—the result of a change in Google’s user-consent policy. The policy “requires website publishers who use Google cookies to obtain their European site visitors’ consent before dropping and reading cookies,” the report states. The change reflects EU regulators’ increasing focus on U.S. companies that serve EU customers. Sites, including ad publishers using Google services as a platform, have until September 30 to comply. Google has released a website to help guide companies implement changes. [Silicon Republic]

US Legislation

US – Gov. Vetoes Notification Bill Expansion

A recent attempt by the Illinois legislature to significantly expand the scope of the Illinois data breach notification legislation was vetoed by Gov. Bruce Rauner. Rauner said Illinois Senate Bill 1833 “goes too far,” and the proposed legislation includes “duplicative and burdensome requirements” that other states don’t have. He added such requirements will hurt the state economy. Specifically, he said, including geolocation information and consumer marketing data under the types of protected information is unnecessary because it “does not pose the same risk of identity theft that justifies the extraordinary and costly security and notice requirements imposed by the Personal Information Protection Act.” [HealthITSecurity]

US – State Assembly Approves Drone-Trespassing Bill

The California State Assembly has approved a measure that would restrict the use of drones over private property without owners’ permission. The bill, proposed by Sen. Hannah-Beth Jackson (D-Santa Barbara), would make flying a drone less than 350 feet above private property without consent a trespassing violation. While some voiced concerns about harming industry, Assemblyman Mike Gatto (D-Los Angeles) said drone operators, not manufacturers, would be held liable. Meanwhile, a bill that would require local law enforcement agencies to set up policies governing their use of body cameras “fell flat after facing criticism from some Democrats that it did not go far enough,” the report states. [Los Angeles Times]

US – New Drone Bill Draws Industry’s Ire

Proposed legislation is inspiring ire from drone developers who argue it could smother the fledgling trade, citing as an example SB 142, which Sen. Hannah-Beth Jackson (D-CA) proposed in an effort at safeguarding privacy by keeping drones at least 350 feet above private property. “The industry argues—and the legislative committees acknowledge—myriad efforts are going on between state and federal authorities to hammer out a regulatory regimen,” the report states. Bruce Parks of the Association for Unmanned Vehicle Systems International argued “the threats are coming from hobbyists, not potential commercial users.” [The San Diego Union-Tribune]

US – Other Legislative News

Workplace Privacy

CA – Privacy Commissioners Urge Caution on BOYD

The Offices of the Privacy Commissioner and of the BC and Alberta Information and Privacy Commissioners have created new guidelines forBYOD programs. “Allowing employees to use their mobile phones, tablets and laptop computers for both personal and professional use carries significant privacy risk—particularly when one world collides with the other,” said Privacy Commissioner Daniel Therrien, adding, “Companies need to consider the risks in advance and prepare to manage them effectively. Only then could they conclude whether a BYOD program is right for them.” A Privacy This Week report suggests the commissioners may use the guidance as a benchmark. [Vancouver Sun]

HK – PDPC Offers Workplace Tips

The Personal Data Protection Commission (PDPC) has published its “Workplace Tips on Personal Data Protection“ in DPO Connect. “Controls also have to be put in place to make sure that only authorised personnel have access to personal data,” the PDPC’s report states, noting organizations should also protect users’ passwords by requiring they be changed, limiting the number of failed login attempts that are allowed before the account is locked and hiding password characters. The PDPC also “advocates for weaving the awareness of personal data protection into the fabric of organisational culture,” the report states. [Full Story]

WW – EFF Announces 2015 Pioneer Award Winners

The Electronic Frontier Foundation has announced its 2015 Pioneer Award recipients. The award recognizes “leaders who are extending freedom and innovation on the electronic frontier.” This year’s recipients, to be recognized at an event on September 24 in San Francisco, include the late Caspar Bowden, a privacy advocate; the human rights and global security researchers at The Citizen Lab, whose work has “put a spotlight” on companies selling state-sponsored surveillance malware and the governments that use them; international Internet access champions Anriette Esterhuysen and the Association for Progressive Communications, and digital community advocate Kathy Sierra. [Full Story]

US – Survey: Federal Employees Using Personal Phones for Work

Half of federal employees access government email and documents from their personal smartphones and mobile devices. A survey commissioned by cybersecurity company Lookout found that out of 1,000 workers from 20 civilian, intelligence and military agencies, 60% said they are aware of the risks, and 85% of those individuals said they use their smartphones anyway. Approximately 40% of employees who work at agencies that prohibit the use of smartphones for work said the rules have little to no impact on their behavior, the report states. Cybersecurity expert Roger Cressey said the challenge for security professionals is “to accept that reality, and come up with proactive solution.” [USA Today]

+++

01-15 August 2015

Biometrics

AU – Agencies to Take Fingerprints from Kids

Children who fight with extremist groups could be prevented from returning to Australia under plans to expand powers to gather biometric data. The Senate has passed legislation to beef up the country’s biometrics system, permitting the collection of data from children as young as 10 without parental consent. Fingerprints, and potentially iris scans and facial images, will be used to match people entering and leaving Australia to a database of known criminals and suspected terrorists. [SBS News]

WW – Facial-Recognition Tech Getting Attention from Apple, Police

A patent filed by Apple in 2014 and published this week “describes various methods for streamlining the sharing of photos by linking faces to contact data, also utilizing facial recognition tech.” Apple’s patent, entitled “Systems and methods for sending digital images,” is similar to Facebook’s Moments app, which “uses facial-recognition tech to help distribute photos to the people in them,” since the patent “describes various methods for streamlining the sharing of photos by linking faces to contact data, also utilizing facial-recognition tech,” the report states. Meanwhile, The New York Times reports on facial-recognition software used by the U.S. military that “is being eagerly adopted by dozens of police departments around the country to pursue drug dealers, prostitutes and other conventional criminal suspects.” [TechCrunch]

WW – HTC Caught Storing Fingerprints as World Readable Cleartext

Four FireEye researchers have found a way to steal fingerprints from Android phones packing biometric sensors such as the Samsung Galaxy S5 and the HTC One Max. The team found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in a open “world readable” folder. “Any unprivileged processes or apps can steal user’s fingerprints by reading this file,” the team says, adding that the images can be made into clear prints by adding some padding. It is one of four vulnerability scenarios in which biometric data normally secure in an Android phone’s TrustedZone can be pilfered. [The Register]

CA – Biometrically-Authenticated Wearable Payments With Mastercard, TD

The wearables market is beginning to pick up steam, and Toronto’s Nymi is already working on the next generation of wearables technology with a pilot project to complete credit card payments using a wearable with the credentials biometrically authenticated by a heartbeat. Nymi has been developing its biometric authentication wearable technology, which uses a heartbeat as a unique biometric identifier and maintains the authentication as long as the wearable is being worn. As soon as it’s taken off – or the user’s heart stops beating – the authentication ends, making it a unique approach to security. This summer, Nymi has been working with TD Bank Group and MasterCard to pilot using the Nymi Band to make contactless payments using a TD Bank Mastercard with the credentials stores on the wearable. Using Nymi’s proprietary HeartID technology as well as a Nymi Band prototype enabled with near field communications, 100 TD employees in Toronto, Ottawa and Regina are testing making payments using the contactless Tap & Go payment terminals already at many Canadian retailers. [Source]

Big Data

US – Draft Report Outlines Big Data Challenges

The Office of the National Coordinator’s Health IT Policy Committee Privacy and Security Workgroup (PSWG) completed a draft report outlining the healthcare privacy and security challenges of using big data and recommending steps to address them. “The complex legal landscape around health privacy creates obstacles for individuals trying to access their personal information and hurdles for researchers,” the study states. In addition to governmental transparency regarding its handling of big data, the group also suggests “that current laws around the use of such information should be evaluated and modified to ‘incentivize’ privacy, but that voluntary codes of conduct also could improve security efforts,” the report states. [FierceHealthIT] [The Sound Of Silence: New Video Tech Looks Beyond The Internet Of Things] [Connected medical devices: The Internet of things-that-could-kill-you]

Canada

CA – Sask. Privacy Commissioner, SHRA At Odds Over Privacy Breach

Saskatchewan’s privacy commissioner and the Saskatoon Health Region Authority (SHRA) are at odds over whether disciplinary action taken against a snooping employee should be disclosed. The employee in question had viewed her own along with other individuals’ health records without a need-to-know. According to Ronald Kruzeniski, Saskatchewan’s information and privacy commissioner (IPC), the health records clerk viewed the personal health information to satisfy curiosity and alleviate boredom. The privacy breach came to light in early 2015 through a regular audit. The employee was found to have viewed the personal health information of six people, including her own. [Global News]

CA – BC: Sex-Abuse Case Review a Breach of Privacy: Mom

B.C.’s privacy commissioner has been asked to investigate concerns about an external review of the Ministry of Children and Family Development by retired deputy minister Bob Plecas. Elizabeth Denham’s office confirmed that it has received a complaint about the review, but offered no further comment. Plecas was hired last month to review the ministry’s handling of a high-profile sex-abuse case. In that case, B.C. Supreme Court Justice Paul Walker found that social workers ignored or misled the courts and allowed a sexually abusive father unsupervised access to his four children. The government has appealed Walker’s decision. [The Times Colonist]

CA – Federal Govt’s New Healthy Living App Rewards Canadians With Points

The federal government is unveiling a new app in the fall that will reward Canadians for making healthier lifestyle decisions. The “Carrot Rewards” app aims to push Canadians to eat better, exercise more and live healthier lives, by rewarding them with various types of points. “Canada is the first country in the world to create a national app, a national mobile platform for rewarding its citizens for healthier lives,” said Andreas Souvaliotis, Founder and CEO of Social Change Rewards, which is marketing the app for the government. [Global News] [Canadians are victims of China-based VPN network and new malware kit, say vendors]

WW – IPC: Balancing Transparency, Privacy and the Internet

While providing services to the public, municipalities are often required to collect, use and disclose personal information from and about their community members. Some information received and processed by municipalities is legally required to be made publicly available for the purposes of allowing public participation in decision-making and for maintaining transparency and accountability with respect to the activities of these institutions. Municipalities should balance the need to protect the privacy of their community members, in compliance with the provincial privacy legislation and the need to meet their other legislated obligations. The new guide Transparency, Privacy and the Internet: Municipal Balancing Acts describes a number of policy, procedural and technical options available to municipalities to mitigate the privacy risks associated with publishing personal information on the Internet. [Office of the Information and Privacy Commissioner, Ontario]

Consumer

WW – Google, Facebook Privacy Polices Rank Highest

Time and the Center for Plain Language reviewed the privacy policies of seven of the most ubiquitous tech companies and ranked them based on the clarity of language, finding Google and Facebook’s to be the most straightforward. “A privacy policy that consumers are unlikely to read or understand provides no protection whatsoever,” the report states. “The results of our study are quite consistent, especially at the top and bottom of the rankings: Google and Facebook do a good job of communicating their privacy policies in a way that allows consumers to understand and make decisions—at least motivated consumers. According to the analysis, Lyft and Twitter do a poor job of communicating those policies. The remaining companies—LinkedIn, Uber and Apple—do better in some areas than others.”[Full Story]

US – Consumers Want to Sell Their Own Data, But What’s It Worth?

Digital Catapult, a working group bringing together academics and industry, recently commissioned a study showing that consumers want ways to collect and manage their personal data and want to make money from sharing that data. However, while that may be the case, The Conversation reports that determining a value for a person’s data is no easy task. The Digital Catapult study showed 62% of respondents would be willing to receive 30 GBP per month for sharing their data; however, that was the maximum amount allowed in the study. “No doubt they’d not turn down 100GBP or 1,000 GBP either.” Compounding that is the question of “who holds the reins: government, business or the third sector?” [Full Story] see also: [How to protect your wireless network from Wi-Fi Sense] [Cellphone Projects in Developing World Need Better Privacy, Security Measures] [How your phone’s battery life can be used to invade your privacy] [New Windows 10 scam will encrypt your files for ransom] [Windows 10 sends identifiable data to Microsoft despite privacy settings] [Microsoft on Windows 10 and Privacy] [Microsoft responds to Windows 10 privacy policy concerns]

E-Government

UK –Fears Over “Lax” Council Data Security

Sensitive personal information has been lost or misused by councils on thousands of occasions, according to a study by privacy campaign group Big Brother Watch. The study found that local authorities recorded 4,236 data breaches over a three-year period from April 2011. Emma Carr, Big Brother Watch director, said: “Despite local councils being trusted with increasing amounts of our personal data this report highlights that they are simply not able to say it is safe with them. The report, based on responses to Freedom of Information requests sent to local authorities throughout the UK, shows that, amongst other things, “some 197 mobile phones, computers, tablets and USBs were lost or stolen” and “data was lost or stolen on 401 occasions, with 628 instances of incorrect or inappropriate information being shared on emails, letters and faxes”.[Digital By Default News]

US – Data in Clinton’s ‘Secret’ Emails Came from Five Intelligence Agencies

The classified emails stored on former Secretary of State Hillary Clinton’s private server contained information from five U.S. intelligence agencies and included material related to the 2012 fatal attacks in Benghazi, Libya, the McClatchy news service has learned. Of the five classified emails, the one known to be connected to Benghazi was among 296 emails made public in May by the State Department. Intelligence community officials have determined it was improperly released. Revelations about the emails have put Clinton in the crosshairs of a broadening inquiry into whether she or her aides mishandled classified information when she used a private server set up at her New York home to conduct official State Department business. While campaigning for the 2016 Democratic presidential nomination, Clinton has repeatedly denied she ever sent or received classified information. [thestar.com]

US – Study: Gov’t Weaknesses “Deep, Pervasive”

A George Mason University Mercatus Center study of the government’s 30-day “cybersecurity sprint” indicates that while improvements were made, major weaknesses in cybersecurity persist, with 10 agencies declaring noncompliance. “Federal agencies lag far behind the cybersecurity goals that policy-makers have crafted and amended over the past decade. In only one category, security training, do a majority of agencies report full compliance,” the study states, noting the “government’s cybersecurity weaknesses are not merely superficial issues that can be quickly resolved in a few short weeks; they are deep, pervasive and systemic problems resulting from decades of poor information security practices.” [InsiderOnline]

NZ – Justice Minister Tackles ‘Privacy Paralysis’

Justice Minister Amy Adams says privacy laws significantly hamper the ability to detect and deal with domestic violence because government officials and those working with children and families are often over-cautious when it comes to sharing information. Ms Adams will today release a discussion document with proposals to tackle domestic violence which is understood to contain more provisions for sharing information between the courts, police and the agencies and community organisations which deal with families. [The New Zealand Herald]

US – Government’s Privacy Push Garners Results

After the conclusion of the White House Office of Management and Budget-initiated 30-day “cybersecurity sprint” across federal government agencies, there was a 30% increase in more sophisticated password use. While the jump from 42% to 72% was positive, White House Chief Information Officer Tony Scott said he believes “we still have more work to do,” adding that a team of experts would review the government’s “policies, procedures and practices” relating to cybersecurity. Scott said an assessment will be issued in the months ahead, the report states. [Reuters]

E-Mail

US – Yahoo Class-Action Appeal Denied

U.S. District Court Judge Lucy Koh’s ruling to elevate an email privacy suit against Yahoo to a class-action still stands, according to the Ninth Circuit Court of Appeals, which rejected Yahoo’s request to overturn Koh’s decision. Plaintiffs said, “Yahoo violated the federal wiretap law and a California privacy law by allegedly intercepting messages without the consent of both the sender and recipient,” but Yahoo argued “consumers aren’t entitled to class-action treatment because the key issue in the privacy dispute—whether people consented to Yahoo’s email scans—will require individualized assessments,” the report states. Koh had determined “that the consumers raised the kinds of ‘common’ questions that don’t require separate determinations for every affected web user,” the report continues. [Media Post]

WW – Email Marketing Laws and the Results of Compliance

Kissmetrics looks at anti-spam laws, highlighting certain laws and outlining what marketers need to know and the results complying with them can mean for their businesses. “Email marketing is one of the most effective marketing tactics online,” the reports states, noting, “however, there are a number of best practice techniques that you need to comply with to ensure that you don’t irritate your customers or run afoul of regulators.” The report offers the major points of laws in Europe, specifically the UK, and the U.S., stating that “if you protect customer privacy and allow customers to opt out of marketing emails, you will build goodwill … ensure that your marketing will go to customers who are receptive and open to your messages” and “protect you financially.” [Full Story] [Want to be totally secure on the Internet? Good luck]

Electronic Records

CA – Lifelabs to Make Patients’ Test Results Available Online

Ontario’s biggest medical lab company says early access will help patients be better informed when talking with their doctors. For the first time, some patients using Ontario laboratory testing centres will be able to access their results online. Canadian laboratory testing company LifeLabs has announced the launch of an online portal, called My Results, which will allow patients to access their medical test results 24 to 48 hours after testing. The new portal will only offer results from LifeLabs centres, which is Ontario’s biggest medical lab company. The Ontario Association of Medical Laboratories estimates there are 325 licensed laboratories and specimen collection centres across the province, 240 of which are owned by LifeLabs. Despite privacy concerns that come with a move online, LifeLabs believes its system is secure.[The Star]

Encryption

WW – Full-Disk Encryption Debate Continues

Manhattan District Attorney Cyrus Vance Jr., Paris Chief Prosecutor François Molins, City of London Police Commissioner Adrian Leppard and High Court of Spain Chief Prosecutor Javier Zaragoza wrote an op-ed making the argument that the full-disk encryption offered in Apple and Google operating systems blocks justice. “Now, on behalf of crime victims the world over,” they write, “we are asking whether this encryption is truly worth the cost.” Later that day, Jenna McLaughlin wrote a counterpoint in The Intercept, stating they posed a “flawed argument” that “misstated the extent of the obstacles to law enforcement” while failing “to acknowledge the value to normal people of protecting their private data from thieves, hackers and government dragnets.” [The New York Times] SEE ALSO: [Post-Snowden, Cryptography Companies Find Success]

WW – ICANN User Information Accessed

The Internet Corporation for Assigned Names and Numbers (ICANN) reported a breach of “user names, email addresses, encrypted passwords and other data, such as bios, interests and newsletter subscriptions.” “Encrypted passwords appear to have been obtained as a result of unauthorized access to an external service provider,” ICANN said, but it has not named the provider. The investigation is ongoing, the report states, noting ICANN site users are being required to update their passwords. This is the third data compromise incident for the organization within the past year. [IT World]

US – Tokenization in the Cloud; Ex-DHS Official: Encryption Is Key

A recent report from Cipher Cloud reveals that 68% of the 50 banks it surveyed use tokenization, most notably to protect personally identifiable information, IBM’s Security Intelligence reports. The use of tokenization, too, is spreading into the retail industry, the report states. In a CSO Q&A, Dropbox’s Patrick Heim discusses the privacy and security concerns for businesses moving to the cloud. Meanwhile, Richard Marshall, former director of global cybersecurity management for the U.S. Department of Homeland Security, has said businesses need to do a better job at encrypting their services. “There was no thought (at the Office of Personnel Management) to encrypt that data because it was deemed too difficult and too complex to do. Well that’s not accurate,” he said. [CipherCloud]

EU Developments

UK – High Court Strikes Down Data Retention Law

Not long after privacy advocacy groups found six EU member states have data retention laws that “appear to be in contravention to the Charter of Fundamental Rights,” the UK High Court this week declared the UK’s Data Retention and Investigatory Powers Act 2014 (DRIPA) “incompatible with human rights” and “unlawful.” The section of the law requiring retention of data should be “disapplied,” the court ruled, but suspended that ruling until March 31 to give the government time to rewrite the law. Further, the secretary of state has permission to appeal the ruling to the Court of Appeal. [Lexology] [The UK High Court this week declared the UK’s Data Retention and Investigatory Powers Act 2014 “incompatible with human rights” and “unlawful.”]

EU – Safe Harbor Agreement Could Be Reached “After Summer”

The Safe Harbor talks between the EU and U.S. are in their final stages, An agreement could be finalized “after the summer.” The negotiations, which began in January of 2014, aim to ensure U.S. Safe Harbor companies will not be able to “circumvent the EU’s tough data protection regime by passing data on to another company not certified under the data-sharing deal and therefore not adhering to the same privacy standards,” the report states. Under the new Safe Harbor plan, “U.S. registered companies will face stricter rules when transferring data to third parties,” the report continues, noting the negotiations took time “because the EU has wanted to ensure the U.S. guarantees are watertight.” [ReutersSafe Harbor talks between the EU and U.S. are in their final stages and an agreement could be finalized “after the summer.”

EU – Potential Last-Minute Resistance to Safe Harbor

Safe Harbor negotiations may face opposition from the Europe of Nations and Freedom (ENF) group of EU Parliamentarians, Sputnik reports. “I do not think that the U.S. will only collect basic data,” said Austrian parliamentarian and ENF member Georg Mayer. “We know from the past how hungry the American services are for every data. So no trust in that, also under the experience we made in the negotiations for TTIP. I think—I have to talk to the rest of the ENF group—we will not vote in favor for that agreement.” The EU and the U.S. are reportedly working out the “final details” of the agreement. [Full StorySafe Harbor negotiations may face opposition from the Europe of Nations and Freedom group of EU Parliamentarians.

US – Europe News Briefs

The General Data Protection Regulation may not only mandate breach notification but also increase fines “from tens of thousands to a one-million-euro punishment or 5% of global annual turnover, whichever is greater.”

Lokke Moerel analyzes the three iterations of the General Data Protection Regulation to assess whether the Binding Corporate Rules for Processors function remains in the legislation.

Facts & Stats

WW – Estimated Privacy Advisory Market Worth $3 Billion and Counting

The privacy advisory market is worth over $3 billion and is poised to continue its “meteoric rise,” according to estimates by PwC’s Jay Cline, who attributes the uptick to a mixture of the growth of global government privacy regulation, the greater use of big data for corporate competitive edge, technological advances and criminal data breaches. “Today’s privacy advisory market looks like the information-security market did 10 years ago … And where is that market heading today? Last month, Gartner projected that spending on information-security vendors will hit $101 billion by 2018,” Cline said. “If the $3 billion estimate is in the ballpark, and it’s true there’s no one dominant market leader, an upcoming wave of corporate spending is totally up for grabs.” [ComputerWorld]

US – 2015 Health Data Hacks: Stunning Stats

The health data breach statistics for 2015 are stunning. So far this year, just the top five breaches have impacted a total of 99.3 million individuals. And all five involved hacker attacks – which were relatively rare until this year. As of Aug. 4, the official federal tally of major health data breaches since September 2009 listed 1,282 breaches affecting a total of 143.3 million individuals. That means the five recent hacker attacks represent almost 70% of all victims on the six-year tally. And just one of those attacks – the hacking of health insurer Anthem that affected nearly 79 million – accounts for 55% of the total impacted. Top 5 Health Data Breaches in 2015, So Far: Anthem, Premera, UCLA Health, mie, CareFirst. In addition to the five biggest hacker breaches, the “wall of shame” breach tally from the Department of Health and Human Service’s Office for Civil Rights, which tracks breaches affecting 500 or more individuals, lists another 33 hacking incidents this year, affecting nearly 2.4 million individuals combined. So, the grand total of victims affected by hacking breaches reported this year is 101.7 million. And it’s only August. [Health Information Security]

WW – Report: Companies Face Consequences for Lack of Privacy

A new Forrester report shows there are consequences for companies that don’t meet their customers’ privacy expectations. Forrester’s research shows that one in three adult Americans has cancelled a transaction due to privacy concerns. “In most cases,” the report states, “a person’s willingness to buy from, work for and invest in a company is driven by their perceptions of the company.” With increasing cyberattacks aimed at acquiring consumer data, “The problem is that the internal security many organisations have in place isn’t enough to secure customers … Understanding where all those assets are and managing them holistically is critical.” [Information Age]

WW – Breach Victims Paying Less and Less

The financial impact breaches have on individual victims is becoming increasingly less substantial, thanks to strides in data protection and the nature of what thieves are looking for. “Only a tiny number of people exposed by leaks end up paying any costs, and for the rare victims who do, the average cost has actually been falling steadily,” the report continues. “For the bad guys, your five-year growth plan is not data breaches and stealing credit cards,” said The Nilson Report’s David Robertson. “It involves stealing all the info you can and opening legitimate accounts in people’s names.” And while “the bad guys are getting good … the good guys are getting even better,” he added. [The New York Times]

Filtering

US – Appeals Court: Netflix Didn’t Violate VPPA

The Ninth Circuit Court of Appeals has upheld an earlier decision by U.S. District Court Judge Edward Davila to dismiss a potential class-action lawsuit that alleged Netflix violated the Video Privacy Protection Act (VPPA). The appeals court decided Netflix did not violate the VPPA “by displaying information about subscribers’ movie-watching history to their friends, families and guests,” the report states. Meanwhile, ZDNet reports on the Seventh Circuit Court of Appeals’ recent decision overturning “a district court that had tossed a class-action lawsuit against Neiman Marcus over a 2014 data breach.” [US Appeals Court Sides With Netflix In Privacy Battle Over Home Page] [MediaPost] [Toronto woman’s webcam hacked while watching Netflix]

Finance

US – New Payment Cards Coming this Fall

This fall marks the official switch from swiping cards at the register to utilizing cards with chips for greater security. Small businesses that either don’t know about the change or are overwhelmed at the prospect of getting new readers to facilitate the chips are nervous, the report states. Square is offering 250,000 card-readers for free, the report states, noting the move is important because retailers “could be on the hook for damages from a breach if they don’t upgrade their equipment.” [The Washington Post]

US – CFOs Increasingly Investing in Security

For the first time, Bank of America Merrill Lynch’s 2015 CFO Outlook Pulse Survey asked chief financial officers (CFOs) about data security and fraud issues. The survey found that 82% of U.S. companies have a formal data security plan, and 69% showed an increase in the investment in data security, the report states. In addition, 10% of the companies said they’ve had a data breach, and 48% said the impact of the breach was minimal. Companies are increasingly investing in anti-virus spyware detection programs and installing actively managed firewalls, and 83% are using malware software, the report states. [SC Magazine]

WW – Is Yodlee Selling Data the Right Way?

For Yodlee, which provides personal financial tools, roughly 10% of the company’s 2014 revenue came from selling anonymized data to investment firms. Yodlee says it “adheres to strict privacy standards to ensure that the transaction data in our data products is anonymized and does not contain personally identifiable or attributable information,” adding the data is used “to develop more sophisticated analytic solutions.” Peter Swire, who Yodlee hired to review its privacy practices, said it is “doing the technical and administrative things that regulators have recommended” to protect the anonymity of the data,” and is “not in the business of playing spy” to figure out transaction histories of individuals or their names. [The Wall Street Journal]

Health / Medical

WW – Need to Brush Up on Your BA Agreements?

A report discusses third-party partnerships between healthcare associations and business associates (BAs) and the importance of ensuring HIPAA compliance. “All parties should have a thorough understanding of their relationship and how they are expected to maintain patient data security,” the report states. Under HIPAA rules, BAs are responsible for keeping protected health information (PHI) secure—it’s not just the covered entity that bears the burden. This should be ensured through the covered entity’s agreement with the BA. “Not only does the business associate agreement dictate how and when PHI could be disclosed, it also outlines the potential consequences should sensitive information be exposed,” the report states. [HealthITSecurity]

US – Judge Orders NHL to Turn Over Injury and Concussion Data

The National Hockey League has been ordered by a judge to turn over reams of data about player injuries and concussions to lawyers representing former NHL players who are suing the league. The roughly 80 former players who are suing the NHL, including Bernie Nicholls, Gary Leeman and Butch Goring, allege NHL and team executives knew or ought to have known about the links between head trauma and long-term cognitive problems but failed to do enough to protect players, all the while profiting from the violence of hockey. The NHL has argued interested players could have read medical research and news reports on their own and put “two and two together” about the dangers of repeated head hits and concussions. In an order released late week, U.S. Federal Court judge Susan Nelson agreed to some but not all of the requests for discovery filed by the former players’ lawyers. “The Court finds that the (NHL’s) blanket application of the physician-patient privilege – protecting all medical data from disclosure – is inapplicable here,” the judge wrote in her ruling. “The clubs are ordered to produce any internal reports, studies, analyses and databases in their possession (whether initiated by the U.S. clubs, NHL, or retained researchers) for the purpose of studying concussions in de-identified form. The U.S. clubs shall produce any responsive correspondence and/or emails between themselves, themselves and the NHL, or with any research or other professional about the study of concussions.” [tsn.ca]

WW – WADA Urges Athletes to Report Privacy Breaches From Leaked IAAF Doping Inquiry

The World Anti-Doping Agency invited athletes to come forward if they feel their privacy was breached by leaked results of suspicious blood tests. WADA said its independent commission will “urgently” investigate the allegations of widespread doping in athletics aired by German broadcaster ARD. The inquiry, led by IOC member and former WADA head Dick Pound, began after ARD alleged systematic doping in Russian athletics last December. A follow-up program broadcast last Sunday alleged that IAAF files showed 800 suspicious results in blood samples from 5,000 athletes in the years from 2001-12. ARD and British newspaper The Sunday Times suggested the IAAF did not act on the evidence. [The Associated Press]

UK – Boots, Tesco and Superdrug to Get Access to NHS Medical Records

High street pharmacies such as Boots, Tesco and Superdrug will be given access to NHS medical records, under a national scheme which privacy campaigners fear could expose patients to “hard sell” tactics. Health officials have drawn up plans to send sensitive data from GP surgeries to pharmacies across the country, starting this autumn, without considering the views of patients. NHS England says the scheme will ease pressures on family doctors, and improve the care given to patients in the High Street. But campaigners fear major commercial chains will be able to exploit the valuable data, and use it to push the sales of their products. Officials have now ordered the national rollout of the scheme, on the basis of an evaluation of pilots in 140 pharmacies which they say showed “significant benefits”. But the official report shows that the research garnered responses from just 15 patients – a sample so small that their views were discarded from the research. [The Daily Telegraph]

Horror Stories

US – Hackers Breach Sabre, American Airlines; More OPM Fallout

A group of China-backed hackers believed to have accessed the databases of the Office of Personnel Management (OPM) and Anthem is allegedly behind similar breaches at American Airlines and Sabre, which processes reservations for airlines and hotels. Meanwhile, in a memo to OPM Director Beth Cobert, Inspector General (IG) Patrick McFarland said the OPM’s Office of the Chief Information Officer (CIO) has “hindered and interfered with” IG oversight and “has created an environment of mistrust by providing my office with incorrect and/or misleading information.” Additionally, in a letter to Cobert, Rep. Jason Chaffetz (R-UT), who repeatedly called for the resignation of the previous OPM Director Katherine Archuleta, is calling for current OPM CIO Donna Seymour—appointed by Archuleta—to resign. [Bloomberg Business] [Stolen Consumer Data Is a Smaller Problem Than It Seems]

US – Fitness Firm Says Ex-Employee Stole Data

Exercise chain Planet Fitness has been granted a restraining order,, against a former payroll manager after successfully arguing the ex-employee is in possession of sensitive data that he threatened to release publicly. The ex-employee was mistakenly emailed the data because he shared the name of one of the company’s lawyers. After being asked to delete the email and its contents, and saying he did so, the ex-employee later revealed he had downloaded the attachment along with other data, such as the PII of 900 Planet Fitness employees, including the executive team. The restraining order says the ex-employee cannot “use, copy, destroy, disseminate, transmit, secret, print, publish, tamper with or alter Planet Fitness’ confidential information.” However, the judge did not grant a request to seize all of the ex-employee’s electronic media. Meanwhile, an unnamed man employed by an unnamed federal agency is highlighted in a SFGate feature after complaining that he can’t turn off the GPS function on his employer-issued smartphone. [Seacoastonline.com] [Privacy breach no more: Eastern Health finds missing USB in file folder] [Michael’s Breach: What We’ve Learned]

US – Faulty Record Disposal by Business Associate Exposes Physician Practice

FileFax Inc., a Chicago-area record storage and disposal company, is being sued by the Illinois attorney general’s office for improper disposal and exposure of thousands of patient medical records, which belonged to Suburban Lung Associates, a pulmonology group. Suburban Lung Associates had hired FileFax to dispose of the medical documents. Instead of properly disposing of the medical documents, FileFax dumped the records into an unlocked, public garbage dumpster. The documents that were placed in the dumpster contained records for about 1,500 patients and included information such as Social Security numbers, names and phone numbers, among other information. According to Elizabeth G. Litten, an attorney at Fox Rothschild LLP, many companies outsource the storage as well as disposal of records to a third party. [Mondaq News] [Breached Retailer: ‘I Wish I Had Known How Sophisticated …‘]

US – AG Investigating MIE Breach

The Indiana Office of the Attorney General (AG) is investigating the recent Medical Informatics Engineering’s (MIE) 3.9 million-victim data breach of Social Security numbers and medical information, which could spell big trouble for the organization. “MIE is going to be in the limelight throughout the process,” the report states, noting AGs have the power to broaden the scope of investigations beyond HIPAA violations to include state laws. Meanwhile, James Young, one of the victims in the breach, is suing MIE, claiming it didn’t “take adequate and reasonable measures to ensure its data systems were protected” and did not “take available steps to prevent and stop the breach from ever happening.” [FiercEMR]

US – White House Details Contractor Data Breach Guidelines

The Office of Management and Budget (OMB) has released detailed guidance for data breach contract clauses for federal agencies. The newly proposed “Improving Cybersecurity Protections in Federal Acquisition“ aims to make sure federal data is protected, both inside a federally owned system or in a corporate vendor’s system. The guidance is open to comment until September 10. Once finalized, agencies’ senior privacy officers along with their chief information officers, chief acquisition officers, chief information security officers and other officials “shall immediately begin working together to apply the guidance,” the proposal states. [Next Gov] See also: [Is the FTC Guide a Sure-Fire Way To Stay Out of Trouble?] [Careers can end with the click of a mouse]

WW – ICANN Resets Passwords After Website Breach

The overseer of the Internet’s addressing system said that someone obtained information related to user accounts for its public website, although no financial information was divulged. ICANN, short for the Internet Corporation for Assigned Names and Numbers, said user names, email addresses, encrypted passwords and other data, such as bios, interests and newsletter subscriptions, were contained in the accounts. Despite the breach, the accounts as well as internal ICANN systems do not appear to have been accessed, the organization said in a post on its website. Although an investigation continues, ICANN said the “encrypted passwords appear to have been obtained as a result of unauthorized access to an external service provider.” It did not name that provider. [ComputerWorld]

US – Investigation Reveals HHS Incidents; IRS Breach Announced

A review of the Department of Health & Human Services (HHS) by the House Energy & Commerce Committee has revealed evidence of five breaches within three years. “What we found is alarming and unacceptable,” said Reps. Fred Upton (R-MI) and Tim Murphy (R-PA). “At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack,” they continued. This announcement follows the IRS’s disclosure that a flash drive containing the personal information of some 12,000 Texas school district employees was “misplaced” by an IRS worker completing an audit of the district. [The HIll]

US – Shutterfly Wants Suit Dismissed

Shutterfly is asking a federal judge to dismiss a lawsuit accusing the company of “violating a state privacy law by compiling a database of ‘faceprints’.” The request responds to a lawsuit filed in June by Brian Norberg, who claims Shutterfly and its subsidiary ThisLife violated an Illinois biometrics privacy law by including his faceprint even though his photo was uploaded by someone else. But Shutterfly wrote in its dismissal motion, filed Friday with U.S. District Court Judge Charles Norgle in Illinois, “Helping a user re-identify his own friends within his own digital photo album does not violate any law.” [MediaPost]

US – Florida: DCF Employee, Husband Stole Identities to Get Public Assistance

As an employee of Florida’s Department of Children & Families, Clara Builes was in charge of approving applications for public-assistance benefits for the poor. But Miami-Dade prosecutors say that for nearly four years, she used her position to help steal the identities of several unsuspecting people, getting fraudulent benefit cards used to buy nearly $20,000 in food and groceries. Builes and her husband, Gonzalez Builes, 53, surrendered Wednesday to face an array of white-collar charges, including official misconduct, grand theft and public assistance fraud. [The Miami Herald]

Identity Issues

US – OCR Reaches First-Ever Transgender Privacy Settlement

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a voluntary settlement with a New York City medical center establishing a new standard of care for transgender patient privacy. The OCR reached the agreement with The Brooklyn Hospital Center (TBHC) after a patient alleged the Affordable Care Act was violated when TBHC assigned “a transgender female who presented as a female at the hospital … to a double-occupancy patient room with a male occupant,” the report states. Under the new agreement, TBHC will adopt and train employees on new transgender policies. Apgar & Associates Attorney Chris Apgar said, “The next settlement may not be a voluntary settlement and may include the levying of civil penalties.” [AIS Health]

WW – Hacker Demonstrates Ease of “Killing” Virtually Anyone

At the DEF CON event in Las Vegas, Chris Rock, CEO of Kustodian, demonstrated the ease with which he was able to have living people legally declared dead. Using online databases to pose as a doctor or funeral director, Rock was able to “game the system,” reports CSM’s Passcode, and have death certificates issued for living people. Similarly, Rock showed how he could create a “totally new virtual baby,” exploiting similar vulnerabilities in the birth registration process for many countries. Rock initially focused on the Australian system and “was shocked to find (death registration) was an online system without any protection at all.” With no verification process for doctors or funeral directors, “you can kill someone in about 10 minutes,” Rock said. [Full Story] [Just how easy is it to digitally fake a death? ]

Internet / WWW

WW – Interpol is Training Police to Fight Crime on the Darknet

Interpol has just completed its first training course designed to help police officers to use and understand the Darket. The five-day course was held in Singapore, and attended by officers from around the world. According to Interpol, the next course will be held in Brussels. The students did not, it seems, explore the Darknet itself. Interpol said in a statement that its Cyber Research Lab “created its own private Darknet network, private cryptocurrency and simulated marketplace, recreating the virtual ‘underground’ environment used by criminals to avoid detection.” Police forces have had some successes in the past two years, taking down the Silk Road drug-dealing site in 2013 and more than 400 services in Operation Onymous in November 2014. However, new services soon emerge to replace them. [ZD Net]

WW – Beacon Project: Privacy-Conscious Data Sharing?

The Global Alliance for Genomics and Health’s (GA4GH) Beacon Project utilizes beacons to allow organizations to share genomic data with greater ease. “A beacon is a web server that answers the question, ‘Have you observed this allele or mutation?’” explains GA4GH’s Marc Fiume explains, and does not ask for the specifics of how or where. “Within this climate of data protectionism, the Beacon Project is a clever way to ask organizations to share even a little bit of information,” the report states, noting institutions can create “online search functions that let anyone in the world take a peek at their databases—but only to find a particular kind of information that was carefully chosen not to overly expose privacy or security risks.” [Bio-IT World]

WW – Coalition Issues Stronger DNT Standard

Digital rights group Electronic Frontier Foundation and a coalition of privacy-enhancing companies that includes Disconnect, Adblock, Mixpanel, Medium and DuckDuckGo, have issued a stronger Do-Not-Track (DNT) standard. EFF Chief Computer Scientist Peter Eckersley said, “We are greatly pleased that so many important web services are committed to this powerful new implementation of Do Not Track, giving their users a clear opt-out from stealthy online tracking and the exploitation of their reading history.” Disconnect Chief Executive Casey Oppenheim said, “The failure of the ad industry and privacy groups to reach a compromise on DNT has led to a viral surge in ad blocking, massive losses for Internet companies dependent on ad revenue and increasingly malicious methods of tracking users and surfacing advertisements online.” [The Guardian] [Privacy pressure group EFF announces stronger Do Not Track standard]

WW – Ad-Blocking Technology Expected to Cost Industry Billions

“If I don’t know what data is being collected on me, I’d rather block it.” That’s Guillermo Beltrà’s policy on pop-up advertisements. Beltrà is one of an increasing number of Internet users who are taking sophisticated measures to sidestep online revenue-generating efforts by using ad-blocking software,. That’s according to a new report by Adobe and PageFair, which said such ad-blocking will lead to almost $22 billion of lost advertising revenue this year, which is up 41% compared to the last 12 months. That kind of trend is causing grave concerns for firms relying on online advertising for revenue, the report states. [New York Times] [Online ad-blocking is on the rise. That’s bad news for everyone.]

Law Enforcement

UK – Breach May Have Affected 2.4 Million

The UK Information Commissioner’s Office is “making inquiries” after retailer Carphone Warehouse said the personal details of up to 2.4 million customers may have been accessed in a cyber-attack discovered last week. The encrypted credit card details of up to 90,000 individuals may have been accessed, the company said. The other data accessed could include names, addresses, dates of birth and bank details. Those affected are being contacted. Dixons Carphone, which owns Carphone Warehouse, said additional security measures have been brought in and the affected websites have been taken down. [BBC News]

WW – Google to Restructure Into Alphabet Conglomerate

Google Cofounders Larry Page and Sergey Brin announced a massive restructuring of Google under the umbrella holding company now called Alphabet. Page writes, “Alphabet is mostly a collection of companies,” adding, “The largest of which, of course, is Google.” Under the new structure, Page will assume the role of CEO and Brin will be president of Alphabet, while Sundar Pichai—known for his work on Chrome and Android—will become the new CEO of Google. Each business under Alphabet will have a CEO “with Sergey and me in service to them as needed,” Page writes. X labs as well as Capital and Ventures, for example, will be broken out from Google under Alphabet. [Full Story]

Location

US – Appeals Court Says Warrant Required for Cell Location Data

The Fourth US Circuit Court of Appeals has ruled that law enforcement must obtain a warrant prior to requesting cell phone location data from service providers. According to the decision, that information is protected under the Fourth Amendment. [SC Magazine[] [The Register]

WW – “Marauder’s Map” App Revealed Facebook Users’ Locations

Harvard student Aran Khanna built a Chrome extension called “Marauder’s Map” that uses location data contained in interactions through Facebook’s Messenger app to determine users’ whereabouts within a meter. Khanna explained how he found an acquaintance’s dorm room by “looking at the cluster of messages sent late at night.” He then realized he could also locate users he was not friends with but were part of a certain group chat. Facebook asked Khanna to take down the app, which he did, though he uploaded the code to Github—while also directing readers to a page on protecting their privacy. Facebook promptly launched an update to Messenger and has revoked Khanna’s internship at the company. [Wired] [How Facebook could affect your chances of getting a loan]

WW – Software Engineer Obtains Thousands of Facebook Users’ Data

After a software engineer was able to access data on thousands of users by simply guessing their mobile telephone numbers, Facebook has been urged to tighten its privacy settings. Reza Moaiandin, the software engineer who alerted Facebook of the flaw through its “bug bounty” program, obtained the names, profile pictures and locations of users who had linked their mobile numbers to their Facebook accounts but hadn’t made it public, the report states. Moaiandin said the vulnerability leaves the system open to abuse and urged the site to add a second layer of encryption, which he says would have prevented him from finding the users’ information. [The Guardian] [Facebook urged to tighten privacy settings after harvest of user data]

Online Privacy

WW – EFF Launches Ad-Block Extension

After a period of beta testing, the Electronic Frontier Foundation (EFF), just days after announcing an alternative do-not-track (DNT) coalition and standard, has officially launched a Privacy Badger 1.0 browser extension that aims to stop advertisers and other third parties from secretly tracking users. “If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser,” the EFF states. Alan Chapell said, “There’s no mechanism for anyone in the digital media ecosystem to trust any DNT signal they receive. As a result, the entire framework is open to question.” [Consumer Affairs]

WW – Google, Facebook Privacy Polices Rank Highest

Time and the Center for Plain Language reviewed the privacy policies of seven of the most ubiquitous tech companies and ranked them based on the clarity of language, finding Google and Facebook’s to be the most straightforward. “A privacy policy that consumers are unlikely to read or understand provides no protection whatsoever,” the report states. “The results of our study are quite consistent, especially at the top and bottom of the rankings: Google and Facebook do a good job of communicating their privacy policies in a way that allows consumers to understand and make decisions—at least motivated consumers. According to the analysis, Lyft and Twitter do a poor job of communicating those policies. The remaining companies—LinkedIn, Uber and Apple—do better in some areas than others.” [Full Story]

WW – Twitter Makes All Public Tweets Available to Advertisers

Twitter has announced that every public tweet posted since the beginning of the social network, more than nine years ago, will now be available to brands and advertisers. The more than 500 billion tweets will be searchable through a new API. “The dream of mining this data for real-time, in-depth, unbiased insights on a global scale is getting ever closer,” said Brandwatch’s Giles Palmer. Additionally, Twitter released its new Transparency Report, announcing it will expand its scope to include two new sections on trademark notices and email privacy practices. Message Systems also announced a new reporting tool developed with Twitter called the Email Privacy Report, which “details email encryption as it is transferred between domains and ISPs,” a report states. [Wired]

WW – Device Battery Life May Allow For Online Tracking

A new report from four French and Belgian security researchers reveals that a device’s battery status could allow websites to track users across the Internet without the users’ knowledge. A feature in the HTML5 specification allows websites to see users’ battery life in order to provide them with a lower-energy mode when their battery is getting low. The specification, introduced by the World Wide Web Consortium (W3C), allows sites to collect the data without consent because “the information disclosed has minimal impact on privacy or fingerprinting and therefore is exposed without permission grants,” W3C stated. The researchers disagree, however, pointing out that websites receive specific data on battery life, rendering such data as a sort of unique ID for a device. [The Guardian ]

WW – Twitter’s Tweet-Sharing Is Troubling

Twitter’s declaration that companies will now have the ability to access over 500 billion public tweets is a problematic one, Rochester Institute of Technology’s Evan Selinger and Samford University’s Woodrow Hartzog write in an op-ed for CSM’s Passcode. “If you care about privacy, you’ll be troubled by the deepening commodification of our online conversations,” they write. Selinger and Hartzog point out that when we’re communicating with friends via social networks it is “easy to forget we’re really speaking directly to companies that need to monetize our data to grow. If these companies don’t give us good options for responding to diminished obscurity, they aren’t taking our privacy seriously.” [Full Story]

WW – The Shaky State of the Cookie Opt-Out

A report on the state of opt-outs in mobile devices and the challenges the industry faces. With a growing debate around consumer choice and ad blocking, “it’s clear that existing opt-out mechanisms aren’t exactly cutting it,” particularly with regard to cross-device tracking, the report states. Stanford University’s Jonathan Mayer wrote earlier this summer in a blog post that if the industry offers “an opt-out, they can only do so with a likelihood, but no guarantee, that the opt-out will transfer to other devices.” Experian Marketing Services’ Brienna Pinnow said, “How can the consumer understand this ecosystem if we ourselves are struggling with the best way to do it?” [Full Story]

Other Jurisdictions

WW – New Accountability Paper to Be Released at Nymity Workshops

Nymity heralds the publication of “Getting to Accountability: Maximizing Your Privacy Management Program,” a paper that works in conjunction with the corporation’s “Getting to Accountability” global workshop series, Nymity said in a statement. “The Nymity accountability paper is unique as it takes a resource-based approach to building a privacy management program,” said the company’s President, Terry McQuay. “It helps privacy offices overcome the challenges of communicating and evaluating a definitive privacy management program, leveraging and motivating individuals throughout the organization, and justifying the business case to obtain the necessary resources.” The paper will be released at the workshops. [Full Story]

WW – Other Jurisdiction News

China has issued a draft Network Security Law.

India’s Department of Biotechnology has released a modified draft of the Human DNA Profiling Bill, but according to one legal researcher privacy concerns remain unaddressed.

At a consultation meeting in Islamabad, a Pakistani cyber-crime bill received criticism over concerns that it is overly broad and could criminalize dissent.

India’s constitutional bench of the Supreme Court will decide if privacy is a fundamental human right, a move catalyzed by pushback on the government-mandated Aadhaar system, which utilizes biometric information for its citizen ID cards.

The Australian Labor Party is urging a rethink on the proposed Telecommunications Act.

23 individuals and 10 companies are being indicted by a Korean Supreme Prosecutors’ Office task force for violating the Personal Information Protection Act.

Chinese search engine Baidu has won its appeal in the Intermediate People’s Court of Nanjing City, which said its “use of cookies to personalize advertisements directed at consumers on partner third-party websites does not infringe consumer rights of privacy.”

Colombia’s Supreme Court has ruled that parents who monitor their under-18-year-old children’s online activity do not violate the minors’ privacy.

Russia’s data protection authority has been holding meetings with business associations to clarify the country’s localization law that goes into effect September 1.

Privacy (US)

US – Neiman Marcus Continues Battle against Class-Action

A Seventh Circuit panel that allowed a data breach suit against Neiman Marcus to proceed misapplied the Supreme Court’s precedents on standing and, if the decision is allowed to stand, it “will impose wasteful litigation burdens on retailers and the federal courts.” That’s the argument Neiman Marcus made in a petition asking the full Seventh Circuit to rehear the case. Last month, the panel ruled Neiman Marcus customers whose credit card information was potentially exposed in a 2013 breach could proceed with their proposed class-action, finding the customers alleged sufficient injuries associated with subsequent identity-theft protection and fraudulent charges. Editor’s Note: A recent post for Privacy Tracker analyzed the Neiman Marcus case. [Full Story] [US – Donald Trump offered access to the Republican National Committee’s voter file]

US – Protester Arrests Draw Attention to SCOTUS Decisions

After Black Lives Matter protesters Johnetta Elzie and DeRay Mckesson were arrested on Monday along with 57 other protesters in St. Louis, MO, their social media posts pronounced disquiet about procedural cheek-swabbing. This draws attention to a 2012 Supreme Court decision that protects the move’s legality. Alonzo King first challenged the idea of DNA swabbing upon arrest after his genetic information was matched to an unsolved rape, which he was later convicted of, a move that he argued infringed his Fourth-Amendment rights. In the resulting case, Maryland v. King, the Supreme Court narrowly disagreed. Similarly, the protestors’ reliance on cell-phone video and social media posts draws attention to 2014’s Riley v. California, which found that police cannot search cell phones during arrest without a warrant. Without that decision, the report argues, “you don’t have to be Fox Mulder to see the potential for government abuse.” [Full Story]

US – NTIA Drone Talks Begin

The National Telecommunications and Information Administration (NTIA) held its first meeting with stakeholders to discuss best practices for drone usage. The NTIA’s John Verdi explained the goal is to “inform” the technology’s development, the report states. “We are not regulators,” said the NTIA’s Angela Simpson. “We are not developing rules or bringing enforcement actions,” noting that unifying stakeholder perceptions of “common-sense best practices” would permit a “major boon” for drones. While groups like the Motion Picture Association of America expressed support for the NTIA gathering, they argued that “existing laws and regulations and the good conduct of their members will do most of the heavy lifting on privacy protections for the new technology.” Further meetings are scheduled for the fall. Editor’s Note: Joseph Jerome recently wrote a piece for Privacy Perspectives on why privacy pros should be involved with drone discussions. [Full Story] [NZ: First TV drone complaint: No breach] [Vancouver woman says drone appeared to be trying to get images of her suntanning topless on balcony]

US – Jeep Owners File Complaint

A potentially massive lawsuit may follow Jeep’s hacking scandal, Wired reports. Three Jeep Cherokee owners have filed a complaint against Fiat Chrysler Automobiles and Harmon International—the maker of the Connect dashboard computer in millions of Chrysler vehicles, the report states. A security flaw in the Connect dashboard was the entry point for the security researchers who last month demonstrated they could wirelessly hack into a 2014 Jeep over the Internet, interfering with its steering, brakes and transmission. The plaintiffs are inviting anyone with a Connect system to join the complaint, which accuses the companies of fraud, negligence, unjust enrichment and breach of warranty. [Full Story] [–Chrysler Knew of Vulnerability for More than a Year | Bloomberg | Wired] SEE ALSO: [VW Hid Security Flaw For Two Years] [Tesla Patches Model S Software Vulnerabilities | Wired | CNET | BBC]

US – NHTSA Investigating Car Cybersecurity

The National Highway Traffic Safety Administration (NHTSA) is expanding its investigation into automobile cyber security concerns. Initially the agency was focusing on Chrysler, which last week issued a recall to fix a software issue in 1.4 million cars. Now NHTSA wants to find out what other car manufacturers may have used similar parts. [The Hill] [slate.com: The Fourth Amendment and Driverless Cars – Should cops need a warrant to access data from your self-driving vehicle?]

IN – Supreme Court to Rule on Right to Privacy

India’s constitutional bench of the Supreme Court will decide if privacy is a fundamental human right, a move catalyzed by pushback on the government-mandated Aadhaar system, which utilizes biometric information for its citizen ID cards. “The government had told the court last month that privacy was not a fundamental right and there were several restrictions related to the subject,” the report states. “Some rights activists however have argued that the collection of biometric data (for the Aadhaar system) including iris scans and finger printing is a violation of privacy. They added that as private agencies were contracted to collect the personal data, there are serious concerns about the safety of the sensitive personal data in private hands. [Full Story] [India: Supreme Court slams Govt: No right to liberty if no privacy]

US – FTC Closes Morgan Stanley Investigation

The FTC will not pursue disciplinary action against Morgan Stanley after concluding an investigation of the corporation’s 2015 breach. In a letter to Morgan Stanley’s legal team, FTC Associate Director of the Division of Privacy and Identity Protection Maneesha Mithal explained the move, which the report argues “suggests that if an entity has appropriate policies in place, but there’s a failure due to ‘human error,’ then the FTC will not necessarily pursue a case,” adding that “in this case, the access controls for one narrow set of reports was configured improperly, and Morgan Stanley corrected the problem as soon as they become aware of it.” [Full Story]

US – FTC Seeks Public Comment on New Potential Consent Method

The FTC has issued a request for public comment on a proposed verifiable parental consent method under the Children’s Online Privacy Protection Act (COPPA) Rule. Riyo submitted a proposal for a consent method that involves “validating a parent’s face against an online presentation of verified photo identification.” The method is based on a fraud-prevention tool currently in use, Riyo said, adding the method differs from those in the COPPA Rule because it uses computer vision technology, algorithms, image forensics and multi-factor authentication. The FTC is seeking public comment through September 3 on whether the method is covered under COPPA already and whether the benefits of the program outweigh risks to consumer data. [Full Story]

US – Judge Won’t Dismiss Sony Suit

A California court has upheld a class-action suit against Sony in which nine of the corporation’s 15,000 victims of the 2014 breach claim Sony showed “negligence, breach of implied contract … and violation of the California Confidentiality of Medical Information Act.” While “Sony argued that the plaintiffs endured no current or threatened injury that is impending,” U.S. District Court Judge R. Gary Klausner disagreed. “The information included financial, medical and other personally identifiable information, was used to threaten the individual victims and their families and was posted on the Internet,” Klausner stated, adding, these “alone are sufficient to establish a credible threat of real and immediate harm, or certainly impending injury.” [Full Story]

US – FTC Charges Data Brokers in $7 Million Financial Scam

The FTC has charged data brokers with illegally selling the sensitive financial information of payday loan applicants “to a scam operation” that effectively bilked more than $7 million from approximately 500,000 applicants. According to the FTC press release, scammers debited individuals’ bank accounts and charged their credit cards without consent. “Scammers used consumer information they bought from this operation to make millions in unauthorized charges,” said FTC Bureau of Consumer Protection Director Jessica Rich. “Companies that collect people’s sensitive information and give it to scammers can expect to hear from the FTC.” The defendants are Sequoia One, Gen X Marketing Group, Jason A. Kotzker, Theresa D. Bartholomew, John E. Bartholomew and Paul T. McDonnell. [Full Story]

US – NYC Hospitals Ban Filming of ER Reality TV Without Prior Written Consent

New York City hospitals will no longer allow the filming of reality TV in their wards without prior written consent. According to the New York Post, the Greater New York Hospital Association said in a statement that the ban “effectively puts an end to ‘reality TV’ in New York’s emergency rooms.” The ban was sparked by an April 2011 accident that claimed the life of an 83-year-old man struck by a garbage truck in Manhattan. ABC “NY Med” filmed the efforts to save the victim and the exchanges between the doctors and his relatives. Although the family’s faces were obscured, the family said they recognized themselves when the show aired in August 2012. Manhattan City Councilman Dan Garodnick says “reality TV has no place in our emergency rooms.” [680 News]

US – Target Joins the Beacon Bandwagon with Trial in 50 Stores

Target, the nation’s second-largest discount chain, is testing beacon technology in 50 of its stores. The retailer joins a growing number of retailers that hope to attract customers with timely deals sent to their smartphones and smartwatches on products based on their location. At the same time, use of beacons worries privacy experts, who say that too much personal data is being collected and stored by retailers or third parties. That data, they said, could become vulnerable to hackers. The use of beacons will only add to the growing pool of personal data available to hackers, analysts said. The primary focus of Target’s announcement Wednesday was on ways that customers can improve their in-store experience by connecting to the egg-sized beacons that are spread around the store. The beacons use Bluetooth technology to connect to the customer’s device via an updated Target app. The app is available now for iPhones and is coming soon to Android devices. [Computerworld]

US – Commissioners: Simmer Down, FCC

The FCC’s Michael O’Rielly and the FTC’s Maureen Ohlhausen take umbrage with the FCC’s Open Internet Rules initiatives, which they argue will create onerous privacy restrictions for Internet providers. “The FCC should refrain from imposing its Byzantine privacy regime on broadband and Internet providers,” they write in an op-ed for The Wall Street Journal. “If it doesn’t, Congress may need to reemphasize the roles it has set for agencies regarding privacy and data security issues.” They also discuss the change in FTC and FCC jurisdiction. “Privacy enforcement over Internet service providers … previously resided with the FTC,” The Hill reports. “But when the FCC took the controversial step of reclassifying Internet access, it also snatched up that role.” [Full Story] [US — Rand Paul and Chris Christie tangle over surveillance during Republican debate]

US – Commissioner Wright to Leave FTC

The FTC announced that Commissioner Joshua Wright will resign his post, serving his last day on August 24. He has served since his appointment by President Barack Obama in January 2013. “The agency has benefited greatly from his perspective as a lawyer and economist,” said FTC Chairwoman Edith Ramirez. “We are going to miss him.” Wright writes in his resignation statement that he will return to George Mason University School of Law as a professor of law. Notably a dissenter on recent FTC reports and settlements, including the IoT report in January and Nomi Technologies settlement in April, Wright said of his colleagues, “While we agreed upon the right course of action for the Commission more often than not, when we did disagree, our discussions were always productive and respectful of the diverse perspectives within the agency.” [Full Story]

US – Court Upholds FCRA Dismissal

The Seventh Circuit has upheld the dismissal of a suit alleging Advocate Health and Hospitals violated the Fair Credit Reporting Act (FCRA). The proposed class-action alleged Advocate Health and Hospitals failed to protect health data that was stolen from its offices, the report states, noting the Seventh Circuit indicated the hospital is not a “consumer reporting agency.” The Seventh Circuit said Advocate Health and Hospitals does not “get paid for assembling information on patients; instead, it sends information to insurers and government agencies in order to get paid. This excludes Advocate from being considered a consumer reporting agency under the FCRA,” the report states. [Full Story]

US – Strippers’ Info Kept Away from Praying Man

A group of Washington strippers and club managers do not have to disclose their personal information requested by a man who wants to pray for them, a federal judge ruled. Tacoma resident David Van Vleet filed a Public Records Act request with the Pierce County auditor as a private citizen, seeking the personal information of dancers at DreamGirls at Fox’s, a strip club in Parkland, Washington. Van Vleet told local reporters that he requested the information because he wanted to pray for them. “I’m a Christian,” Van Vleet said. “We have a right to pray for people.” [Courthouse News Service]

US – Other Privacy News

The FCC’s Michael O’Rielly and the FTC’s Maureen Ohlhausen take umbrage with the FCC’s Open Internet Rules initiatives, which they argue will create onerous privacy restrictions for Internet providers.

U.S. District Court Judge Lucy Koh’s ruling to elevate an email privacy suit against Yahoo to a class-action still stands, according to the Ninth Circuit Court of Appeals, which rejected Yahoo’s request to overturn Koh’s decision.

The Seventh Circuit has upheld the dismissal of a suit alleging Advocate Health and Hospitals violated the Fair Credit Reporting Act.

The Ninth Circuit Court of Appeals upheld the dismissal of a class-action suit alleging Netflix violated the Video Privacy Protection Act.

The Seventh Circuit Court of Appeals overturned a district court ruling that had tossed a class-action lawsuit against Neiman Marcus over its 2014 data breach.

Privacy-minded members of Congress aim to curb federal use of Stingrays, which function similarly to cell-phone towers, allowing phones within a certain space to connect and unknowingly share information with agencies like the FBI.

In two separate cases, judges have ruled that owning a cell phone does not equate to an agreement allowing law enforcement to access and use location data.

The Shutterfly biometric case is challenging the Illinois Biometric Information Privacy Act.

Court cases involving the collection of biometric information may mean Illinois’ biometric privacy law will serve as a guide for other states looking to implement similar legislation.

Privacy Enhancing Technologies (PETs)

WW – Mozilla to Offer Anti-Tracking Tool; Privacy-Based Browsers Grow

Mozilla is testing enhancements to private browsing in Firefox that would prevent third parties from tracking users across sites. While many browsers have a do-not-track option, many companies don’t honor them, the report states. Mozilla’s experimental tool would block outside parties from tracking users via cookies and browser fingerprinting. Search engines aimed at protecting user privacy are seeing a surge in business. DuckDuckGo reports its daily search query numbers have grown 600 percent since the Snowden revelations. Meanwhile, Microsoft is refuting allegations that it’s collecting specific consumer data through its Windows 10 operating system. [Full Story] [WW – As browser wars get personal, Firefox gives privacy a try]

WW – NII Releases Privacy Visor

The National Institute of Informatics has released the newest iteration of its privacy visor, and it’s set to go on sale next year. The device aims to conceal the privacy-conscious from photo-recognition technology by employing “light-reflective material and a mask, which uses angles and patterns to disrupt facial-recognition technology through both absorbing and bouncing back light sources,” the report states. “Photos taken without people’s knowledge can violate privacy,” the team of researchers behind the product said. “For example, photos may be posted online together with metadata including the time and location. But by wearing this device, you can stop your privacy being infringed in these ways.” [Full Story] [‘Privacy Visor’: Japan designs eyewear to prevent facial recognition]

Winning Study Has Lessons for Product Design

It’s relatively intuitive that the more tech knowledge individuals have, the more likely they are to identify privacy risk as they use tech products. The award-winning paper, “My Data Just Goes Everywhere,” confirms this. However, that ability to identify privacy risk helps very little, researchers found, in spurring people to actively avoid that risk. Jedidiah Bracy looks into why this is, what does trigger risk-avoidance and what that suggests for product design and privacy policy, in this post for Privacy Tech. Meanwhile, ITBusiness Edge encourages technologists to ask “are we abetting the data collectors in something that might be bad for society’s—and our own—best interest?” [Full Story]

Apps for Keeping Conversations Private

Companies are addressing consumer concerns with “dark social” apps that allow users to send messages without the “traceable footprint,” CNBC reports. Privacy is “getting more and more to the forefront of people’s consciousness,” said Open Garden Chief Marketing Officer Christophe Daligault. “There’s chatter about the snoopers. Geotargeting and governments are trying to provide a number of ways for people to not be able to communicate privately, and there’s a growing concern of a cat-and-mouse game.” Enter apps like OM, Open Garden’s messenger that allows “completely off-the-grid conversations.” These apps have proven successful, with 93% of respondents to a 2014 RadiumOne poll indicating they had used a “dark social” tool “more than three times the rate they used Facebook for the same purposes,” the report states. Editor’s Note: Privacy communications start-ups Confide, Personal, and Disconnect.Me will discuss their technology at the Privcy.Security.Risk. conference’s “New Innovations in Privacy and Security” panel in Las Vegas Sept. 30-Oct. 1. [Full Story]

RFID / IoT

US – New IoT Guidelines Open for Comments

The Online Trust Alliance (OTA) has published a series of guidelines for corporations like Microsoft and Target involved in the production and sale of Internet-of-Things devices, calling for tighter privacy policies, greater use of encryption and an attitude of long-term privacy sustainability. Without a framework of best practices, it “could lead to hackers remotely opening garage doors and turning on baby monitors that are no longer patched, to infiltrating fitness wearables to spy on health vitals, or creating mayhem by sabotaging connected appliances,” said the OTA in a statement. The group is accepting comments on its guidelines until September 14. [Full Story] See also: [Wearable tech will transform sport – but will it also ruin athletes’ personal lives? ] and [A DEFCON-Black Hat Roundup for the Privacy Pro] SEE ALSO: [Wearable tech will transform sport – but will it also ruin athletes’ personal lives?  ] AND [Brookings: Building Economies with Privacy in Mind]

US – Online Trust Alliance Develop IoT Security Guidelines

The Online Trust Alliance (OTA), whose members include Microsoft, Symantec, and Verisign, say that the manufacturers of smart home devices and other Internet-connected products that make up the Internet of Things (IoT) are not paying attention to the need to build in security. They have issued suggested guidelines for manufacturers, developers, and retailers, and are inviting public comment. [The Register] [ZDNet] [CNET} [NYT: Why ‘Smart’ Objects May Be a Dumb Idea]

UK – Apple’s Airdrop Abused By ‘Cyber-Flashing’ London Train Perv

Perverts have latched onto Apple’s AirDrop as a means of pushing unsavoury content at unsuspecting commuters. Lorraine Crighton-Smith, 34, received two unsolicited pictures of a unknown man’s penis on her iPhone via AirDrop as she was travelling to work on a train in south London. Officers are investigating the case, which they reckon is the first of its type that they have come across. AirDrop is a documents transfer technology that works between supported Macs and iDevices. Apple introduced the Bluetooth-based tech with the release of iOS 7 back in 2013. It’s supported by devices from the iPhone 5 onwards. By default AirDrop is restricted to “contacts only” to but this is changed to “everyone” as soon as a user accepts a message from a previously unknown contact. From that point on users run the risk of being sent all sorts of undesirable content by strangers. [The Register]

Security

US – White Houses Calls for Increased Cybersecurity Budgets

The Obama administration has proposed a $14 billion budget increase for the IRS, Department of Health and Human Services and other agencies’ 2016 cybersecurity allotments, a figure that represents a 72-percent increase in security funding, National Journal reports. Budget documents indicated that with the greater resources, “the IRS would take especially aggressive steps to fight identity theft and stolen identity refund fraud,” including “systems improvements and new information-sharing with states and industry to help detect and prevent identity theft before tax refunds are paid.” [Full Story]

US – Hackers Compromised Emails from “All” Top Security, Trade Officials

According to a secret document, Chinese hackers compromised “the private emails of ‘all top national security and trade officials’” since 2010. The unnamed source indicated the attacks were ongoing. The revelation has opened the doors for criticism of the U.S. government’s attitudes regarding cybersecurity. “The U.S. government has proven itself incompetent” in protecting its data, said Fight for the Future’s Evan Greer, adding, “Information-sharing bills like CISA would make us even more vulnerable by dramatically expanding the amount of private data the U.S. government keeps in its databases and the number of government and law enforcement agencies who would house that data.” [NBC News]

US – FTC Recommends 10 Steps to Help Ensure Data Security

While there is no generally applicable federal law in the U.S. requiring all businesses to take particular steps to secure their sensitive data, the FTC has investigated and penalized numerous companies for failing to implement “reasonable” data security standards. In an effort to help guide U.S. businesses on the question of what constitutes “reasonable” security measures, the FTC launched a “Start with Security Initiative” on June 30th, to provide information to businesses about data security and the protection of consumer information. The initiative comprises three elements: a publication containing lessons from more than 50 data security cases brought by the FTC; a series of educational conferences across the country aimed at small- and medium-sized businesses in various industries; and a website that consolidates the Commission’s data security information for businesses at fkks.com.
1) Start with Security.

2) Control Access to Data Sensibly.

3) Require Secure Passwords and Authentication.

4) Store Sensitive Personal Information Securely and Protect It During Transmission.

5) Segment Your Network and Monitor Network Activity.

6) Secure Remote Access to Your Network.

7) Don’t Forget About Security for New Products.

8) Make Sure Your Service Providers Implement Reasonable Security Measures.

9) Update Security Practices.

10) Secure Paper, Physical Media, and Devices. [Source]

WW – Lenovo Installs Unremovable Unwanted Software

Lenovo has been using code in the firmware of some devices to make unwanted software persist even after users reinstall operating systems. Lenovo is exploiting Microsoft’s Windows Platform Binary Table feature, which is built into Windows machines. [v3.co.uk] [ZDNet] and see also: [Intel Architecture Flaw Lets Attackers Install Rootkits ]

WW – Security Flaws in ZigBee Wireless Standard

Several flaws have been found in the ZigBee wireless security standard; they could be exploited to compromise vulnerable devices and take control of other devices on the same network. ZigBee is used in many IoT devices and in smart home networks. [ZDNet] [The Register]

WW – (Some) Android (Users) to Get Monthly Updates

Google and companies that manufacture Android devices are distributing a fix for the critical Stagefright vulnerability. Android users have usually not received security updates in a timely manner; now Google, Samsung, and LG now say they will issue monthly security updates for Android devices. [ComputerWorld] [The Register] [Ars Technica] [WW – Where did the principle of secrecy in correspondence go? ]

WW – Hacking Printers to Send Data as Sound Waves

A team of security researchers has demonstrated the ability to hijack standard equipment inside computers, printers and millions of other devices in order to send information out of an office through sound waves. The attack program takes control of the physical prongs on general-purpose input/output circuits and vibrates them at a frequency of the researchers’ choosing, which can be audible or not. The vibrations can be picked up with an AM radio antenna a short distance away. [The Whig]

Smart Cards

US – Stingrays in Congressional Crosshairs

Privacy-minded members of Congress aim to curb federal use of Stingrays, which function similarly to cell-phone towers, allowing phones within a certain space to connect and unknowingly share information with agencies like the FBI, USA Today reports. “I don’t see how you can use a Stingray without it raising very substantial privacy issues,” said Sen. Ron Wyden (D-OR). “I want police to be able to track dangerous individuals and their locations, but it ought to be done with court oversight under the Fourth Amendment.” This summer, the House passed an amendment to the Justice Department’s funding bill to “bar funding for the use of Stingrays without a warrant,” the report states, noting the Justice Department has said it is “reviewing its policies” regarding the use of Stingrays.
Full Story

US – App Will Help RNC Manage Updated Voter Database

A new app to be unveiled by the Republican National Committee’s (RNC) chief technology officer includes a toolkit for helping campaigns manage their field operations, Bloomberg reports. The product is called Republic VX and allows campaigns to look at the efficacy of specific volunteers, for example, or even detect when volunteers are lying by claiming they’d knocked on more doors than they had, the report states. It will use the RNC’s voter file, automating updates to it by the end of each election season to keep the database fresh. It’s an indication of the RNC’s new seriousness about using and improving data systems for campaigning, the report states. [Full Story]

Surveillance

CN – China to Establish Police Presence at Major Internet Companies

The Chinese government plans to put “network security offices” staffed by police at large Internet companies in that country. The goal is to “catch criminal behavior online at the earliest possible point.” There is some suspicion that the plan is also part of the country’s efforts to censor what people in that country can view on the Internet. [CNET] [ComputerWorld] [Wired] [What does the panopticon mean in the age of digital surveillance?] [It’s incredibly difficult to stop the Internet from knowing you’re pregnant

US – EINSTEIN’s Effectiveness Called Into Question

As the Department of Homeland Security (DHS) pushes the Carper-Johnson Federal Cybersecurity Enhancement Act of 2015, a bill that would hasten the adoption of network-monitoring program EINSTEIN, critics question EINSTEIN’s effectiveness in light of the Office of Personnel Management breaches, Federal Times reports. “It’s not necessarily the best out there, but if that’s the fastest way to get government agencies to catch up to the rest of the world on protecting themselves, the bill could be a good thing,” said the SANS Institute’s John Pescatore. “But if that happens at the expense of the deployment of best-in-breed detection and prevention systems, then that’s a bad thing.” He added that deploying EINSTEIN would “at least get each agency to square one … but unfortunately, the attacks have moved on to square three and four.” [Full Story]

WW – ECHELON: The Surveillance Program that Predated Snowden

There is a long history of government data collection—even before digital surveillance was possible. Over the last 50 years, Project ECHELON enabled the U.S. and UK to track enemies and allies within and outside national borders. It’s a program that’s evolved from keywords intercepted in faxes to today’s “all-encompassing data harvesting,” the report states. Privacy advocate Duncan Campbell first made reference to ECHELON in 1988, and in 2000, 60 Minutes published a report on the scope of the program. In 2005, some speculatively pointed to ECHELON as a potential tool the Bush Administration was using, but it wasn’t until the Snowden revelations that it became clear the program exists. [TechCrunch]

CA – Hidden Camera Discovered at Ontario Federation of Labour Headquarters

The discovery of a hidden video camera at the Ontario Federation of Labour headquarters has shaken employees and triggered bitter finger pointing and strong denials among current and former top union brass. In early July, a staff member discovered a concealed working camera in an exit sign near the reception area of the building at 15 Gervais Dr. in Toronto. Ontario Federation of Labour president Sid Ryan confirmed a grievance has been filed by a staff member with respect to the camera. He says he was told cameras were installed in the building “for security reasons” but says he had no idea there was a hidden camera in the reception area until it was discovered by a staff member this summer. [Waterloo Region Record]

WW – Airline Begins Weighing Passengers for ‘Safety’

In a recent statement, Uzbekistan Airways, the country’s flag carrier announced it will weigh passengers and their carry-on luggage prior to flights to determine how much weight they’ll be adding to the plane. “According to the rules of International Air Transport Association, airlines are obliged to carry out the regular procedures of preflight control passengers weighing with hand baggage to observe requirements for ensuring flight safety,” says the airline’s statement. An IATA spokesperson, however, tells CNN the organization isn’t aware of any such regulation. “We are not aware of an IATA rule concerning the weighing of passengers and their hand luggage prior to flight,” says Chris Goater, manager of IATA corporate communications, via email. [CNN]

Telecom / TV

US – AT&T Helped U.S. Spy on Internet on a Vast Scale

The National Security Agency’s ability to spy on vast quantities of Internet traffic passing through the United States has relied on its extraordinary, decades-long partnership with a single company: the telecom giant AT&T. While it has been long known that American telecommunications companies worked closely with the spy agency, newly disclosed N.S.A. documents show that the relationship with AT&T has been considered unique and especially productive. One document described it as “highly collaborative,” while another lauded the company’s “extreme willingness to help.” AT&T’s cooperation has involved a broad range of classified activities, according to the documents, which date from 2003 to 2013. AT&T has given the N.S.A. access, through several methods covered under different legal rules, to billions of emails as they have flowed across its domestic networks. It provided technical assistance in carrying out a secret court order permitting the wiretapping of all Internet communications at the United Nations headquarters, a customer of AT&T. The N.S.A.’s top-secret budget in 2013 for the AT&T partnership was more than twice that of the next-largest such program, according to the documents. The company installed surveillance equipment in at least 17 of its Internet hubs on American soil, far more than its similarly sized competitor, Verizon. And its engineers were the first to try out new surveillance technologies invented by the eavesdropping agency. One document reminds N.S.A. officials to be polite when visiting AT&T facilities, noting, “This is a partnership, not a contractual relationship.” The documents, provided by the former agency contractor Edward J. Snowden, were jointly reviewed by The New York Times and ProPublica. The N.S.A., AT&T and Verizon declined to discuss the findings from the files. “We don’t comment on matters of national security,” an AT&T spokesman said. [New York Times]

AU – Pilgrim Prods Telcos on Data Retention Privacy

Acting information commissioner Timothy Pilgrim has reminded telcos of their privacy obligations when it comes to retaining customer information in order to comply with the government’s data retention regime. Under the data retention scheme, telcos will need to retain for at least 24 months a range of customer information, ranging from billing information to call and email records. [computerworld.com.au]

US – Cybersecurity Bill Could ‘Sweep Away’ Internet Users’ Privacy, Agency Warns

The Department of Homeland Security (DHS) said a controversial new surveillance bill could sweep away “important privacy protections”, a move that bodes ill for the measure’s return to the floor of the Senate this week. The latest in a series of failed attempts to reform cybersecurity, the Cybersecurity Information Sharing Act (CISA) grants broad latitude to tech companies, data brokers and anyone with a web-based data collection to mine user information and then share it with “appropriate Federal entities”, which themselves then have permission to share it throughout the government. [The Guardian]

US – Judges: Users Shouldn’t Be Forced to Give Up Phones for Privacy

Two judges in two separate cases that dealt with the use of smartphones have ruled that owning a cell phone does not equate with a wholesale agreement for law enforcement access and use of location data. “We cannot accept the proposition that cell-phone users volunteer to convey their location information simply by choosing to activate and use their cell phones and to carry the devices on their person,” said Fourth Circuit Judge Andre Davis. And in a California case, U.S. District Court Judge Lucy Koh said “making it this easy to track Americans is a violation of the constitutional right to be protected against unreasonable searches,” adding that “it is untenable to force individuals to disconnect from society just so they can avoid having their movements subsequently tracked by the government.” [Fusion]

WW – BYOD’s Potential Headaches

Forbes and IT News Africa report on the challenge organizations face in protecting bring-your-own-device (BYOD) tools from attack while not impairing user privacy. “Simply locking down mobile devices, however, is not a realistic response. Instead, organizations should give users freedom to use devices as they like, while assuming that they may in fact become compromised,” said Lookout CTO Kevin Mahaffey. “This requires appropriate security controls that can detect compromise and react in real-time to isolate the device from sensitive data until it recovers.” Meanwhile, Canada’s Office of the Privacy Commissioner, as well as the Offices of the Information and Privacy Commissioner in Alberta and BC, are cautioning businesses regarding potential BYOD security risks and have issued a joint publication for organizations.

US – Groups Want FCC to Stop Requiring Telecoms to Store Data

A coalition of tech and privacy groups is asking the FCC not to make telecommunications companies store customer data. Current policy requires companies to keep caller names, addresses and telephone numbers as well as “telephone number called, date, time and length of the call” for 18 months for billing purposes. Privacy groups say that opens Americans up to inappropriate surveillance and data breaches. In a letter to the FCC, the 26 groups—led by the Electronic Privacy Information Center—called the policy “outdated and ineffective,” adding, “It is not necessary or proportionate for a democratic society.” [The Hill]

US Government Programs

US – FTC to Consumers: Give Us Your Complaints

In a FTC post, FTC Division of Consumer and Business Education’s Lisa Weintraub Schifferle writes about a new easier way for consumers to report their privacy complaints to the agency. “Did a company share your personal information without your knowledge or consent? The FTC wants to know,” she writes, adding, “Just go to the FTC’s Complaint Assistant and click the banner that says: ‘Concerned about how a company is handling your personal information? Click here to report privacy concerns.’” Schifferle’s post includes a list of what types of consumer privacy complaints the FTC might address—such as companies knowing more about consumers than they expect. [Full Story] [US: Conservative video-maker James O’Keefe: Homeland Security targeted me, asked intrusive questions]

US – Proposed Cyber Security Requirements for US Government Contractors

The US Office of Management and Budget (OMB) has issued proposed cyber security rules for federal government contractors. The new rules would establish baseline security requirements and oblige contractors to disclose breaches to authorities. The draft rules would also allow the Department of Homeland Security (DHS) to establish monitoring programs on contractors’ systems if they are not abiding by the rules. OMB is accepting public comment on the draft document through September 10, 2015. [NextGov] [The Hill] [CIO]

US – Poll: Voters Support Gov’t Monitoring of Social Media

A recent poll indicates a majority of voters support the government monitoring social media to assist in the fight against terrorists. The report notes that many tech companies are opposing Bill S 1705, which would require them to “report potential terrorist activity on their sites to law enforcement,” but states that 61% of voters responding to the poll “said they were in favor of the government monitoring social media sites to defend against potential terrorist attacks, while 27% opposed it.” The poll which was conducted from July 31 through August 3, focused on “a national sample of 2,069 registered voters,” the report states. [Morning Consult]

US Legislation

US – Mental Health Bills Continue to Raise Privacy Questions

Proposed legislation including the Senate’s Mental Health Reform Act and the House’s Helping Families in Mental Health Crisis Act that aim to “improve federal oversight and give patients more access to services” have incited debate over mental health treatment and patient privacy, according to U.S. News and World Report. “The bills will be a tremendous violation of freedom that we wouldn’t be okay with if it were any other group of people,” said the Western Mass Recovery Learning Community’s Sera Davidow. Meanwhile, a judge ruled against therapists who argued it was a violation of patient privacy to disclose that their clients were viewing child porn. [Full Story]

US – Congresswoman Details Forthcoming Revenge Porn Bill

Upcoming federal “revenge porn” legislation will be proposed by Rep. Jackie Speier (D-CA) in September. Speier co-authored the bill with a yet unnamed Republican, while a mirror bill is expected in the Senate. “This is not just about jilted lovers trying to get revenge,” Speier said. “This is about protecting an individual’s right to privacy … It is something that we value in the First Amendment, and it’s something that I think cries out for a federal solution.” The bill is expected to meet resistance from free-speech advocates concerned that it will stifle online expression. Meanwhile, convicted revenge porn website operator Kevin Bollaert—who is serving an 18-year sentence—claims he ran his site in defense of free speech. [National Journal ]

US – CISA Stalls for Now

A Senate effort to pass the controversial Cybersecurity Information Sharing Act (CISA) stalled this week, potentially leaving the fate of the bill uncertain. There is a chance the Senate could revisit the legislation when it comes back from summer recess in September, but the upper chamber will have a slew of other big issues, including a nuclear deal with Iran and a measure to fund the federal government, the report states. Senate Majority Leader Mitch McConnell (R-KY) was going to allow debate on the 21 amendments placed on CISA, but time ran short on such an effort. Sens. Ron Wyden (D-OR), Al Franken (D-MN) and Patrick Leahy (D-VT) have all called for more privacy protections within the bill. [The Wall Street Journal]

US – Governor Signs Four Privacy Laws

Delaware Gov. Jack Markell has signed four new privacy laws aimed to “protect the personal information of school-aged children, prevent the distribution of victim’s personal information and stop the practice of employers demanding access to their employees’ personal social media accounts,” Government Technology reports. “While the Internet has revolutionized the way we live and work, and made possible countless advances in our society, we must also recognize that it has made our citizens’ personal information more vulnerable than ever,” Markell said. “Some restrictions on how personal information is shared are reasonable, and I commend the legislators, Attorney General Denn and everyone involved in working on these bills for finding a balance between online commerce and personal privacy.” [Full Story] [US: Delaware Governor Signs Internet Privacy, Safety Package into Law]

US – Other Privacy Legislation

California and Nevada are expanding the definition of personal information and requiring stronger security for companies that share personal information.

North Carolina’s Senate passed SB 446, which aims to develop guidelines for operating drones.

Wisconsin Rep. Amy Loudenbeck (R-Clinton) has introduced AB 303 to prohibit the Workforce Development from requiring that job seekers to provide a Social Security number to search for jobs on the Job Center of Wisconsin’s website.

Despite its governor’s unwillingness to sign the legislation, among others, Maine has a new drone privacy bill.

Wyoming lawmakers are moving to change the state’s constitution to add privacy and open-government protections.

Sens. Orrin Hatch (R-UT) and Tom Carper (D-DE) have introduced the Federal Computer Security Act of 2015, which would require inspectors general and the Government Accountability Office to report on security practices and software.

Delaware has passed a suite of four laws aimed at protecting citizens’ and children’s privacy, including legislation to prevent ed-tech providers from selling student’s personal information and limitations on advertising on sites and apps targeted at children, reports Delaware 105.9.

A Senate effort to pass the controversial Cybersecurity Information Sharing Act stalled last week, leaving the fate of the bill uncertain.

The Department of Homeland Security has warned that the proposed Cybersecurity Information Sharing Act will “sweep away important privacy protections.”

Rep. Jackie Speier (D-CA) will introduce a bill to battle so-called revenge porn on September 9.

A mental health reform bill introduced by Sens. Chris Murphy (D-CT) and Bill Cassidy (R-LA) could mean updates for HIPAA

Upcoming federal “revenge porn” legislation will be proposed by Rep. Jackie Speier (D-CA) in September.

Proposed legislation including the Senate’s Mental Health Reform Act and the House’s Helping Families in Mental Health Crisis Act have incited debate over mental health treatment and patient privacy.

A District Court judge has ruled unconstitutional a Burlington North Carolina ordinance requiring hotels to furnish police with names on their guest registries.

Workplace Privacy

WW – Anti-Doping Agency Asking Athletes for Info on Breach

The World Anti-Doping Agency (WADA) invited athletes to come forward if they feel their privacy was breached by leaked results of suspicious blood tests. WADA said its independent commission will “urgently” investigate allegations of widespread doping in athletics aired by German broadcaster ARD, The Associated Press reports. ARD alleged files indicated 800 suspicious results in blood samples from 5,000 athletes from 2001 to 2012. “WADA is committed to protecting the confidentiality of athletes,” said WADA President Craig Reedle in a statement, adding WADA “deplores” the way the data was obtained and leaked to the media. He urged any athlete concerned that their rights “are being eroded” come to the commission. [Full Story]

US – Appeals Court to Hear Employee Data-Theft Case

A Massachusetts Appeals Court will hear a case that illustrates the question of employer liability when an employee takes company data for personal reasons, Privacy and Security Matters reports. In Adams v. Congress Auto Insurance Agency, Inc., a customer argued the insurance company did not adequately protect his data after one of its employees passed his phone number to her boyfriend to dissuade the customer from pursuing police action against him. Superior Court found the employee’s “alleged theft of personal information from a secure database” and her boyfriend’s “subsequent misuse of that data were both criminal acts that severed the chain of causation between Congress’ alleged negligence and the harm” to the customer. [Full Story]

+++

16-31 July 2015

Biometrics

IN – In Effort to Expand Biometric ID Scheme, India Says Privacy Not Fundamental Right

During the course of defending the legality of the Aadhaar biometric scheme before India’s Supreme Court this week, the chief lawyer for India’s central government argued that privacy is not a fundamental right bestowed by the country’s constitution. India’s government also asked the court to reconsider all Supreme Court judgments over the past two decades that defined privacy as a constitutional right. India’s central government made the argument in order to defend extending the use of the Aadhaar biometric system for security and crime-related surveillance. The government is currently piloting the use of the biometric scheme for airport security. Ironically, the Modi government, which came to power last year, was highly critical of the previous government’s administration of the biometric ID system during a contentious election campaign, when it characterized Aadhaar as a “failure” and a “waste of money” that needed to be eliminated. However, after the new government came to power, it decided not only to maintain, but expand the system, with a view to expanding social services, along with enhancing attendance monitoring over government employees. [Biometric Update]

US – GAO Tells Congress to Revisit Facial-Recognition Tech

The Government Accountability Office (GAO) has released a new report on facial-recognition technology, specifically on its commercial uses, privacy issues and the applicable federal law. Although the report does not put forth any recommendations, it proposes that Congress look into “strengthening the consumer privacy framework” to keep up with emerging technology such as facial recognition. Sen. Al Franken (D-MN) announced the new report and issued a press release on it, writing that “what we really need are federal standards that address facial-recognition privacy by enhancing our consumer privacy framework.” [TechCrunch] [All forms of biometric authentication are not created equal]

WW – Facebook’s Facial-Recognition Tool Draws Privacy Ire

When you are identified in a picture on Facebook, biometric software remembers your face so it can be “tagged” in other photographs.  Facebook Inc. says this enhances the user experience. But privacy advocates say the company’s technology — which was shut off in Europe and Canada after concerns were raised — should only be used with explicit permission. The U.S. government is participating in a working group to develop rules for companies using facial recognition — even if those are voluntary. “Face recognition data can be collected without a person’s knowledge,” said Jennifer Lynch, an attorney for the Electronic Frontier Foundation, a San Francisco-based privacy rights group. “It’s very rare for a fingerprint to be collected without your knowledge.” Privacy groups such as Lynch’s last month cited the business community’s opposition to requiring prior consent as the reason they walked out on the government meetings. The Department of Commerce’s National Telecommunications and Information Administration, which sponsored the talks, plans to continue the process without most of the privacy advocates. [Bloomberg News 8]

WW – Researchers’ Breakthrough Means Faces on CCTV, Infrared-Footage Identifiable

The problem with infrared surveillance videos or CCTV videos thus far has been it can be difficult to recognize the people in them. That’s because “the link between the way people look in infrared and visible light is highly nonlinear,” so matching images of people in such surveillance footage to how they look in real life has been an unresolved challenge, the report states. But Saquib Sarfraz and Rainer Stiefelhagen at the Karlsruhe Institute of Technology in Germany may have solved the problem by teaching a neural network to do the work. One way this has become possible is because of an increase in vast databases of facial images, the report states. [MIT Technology Review] [Deep Neural Nets Can Now Recognize Your Face in Thermal Images]

US – NetChoice Praises NTIA Facial-Recognition Talks

NetChoice, which represents online commerce companies and advocates, has announced it is pleased with the results of the latest National Telecommunications & Information Association (NTIA) facial-recognition discussion. The NTIA discussion aimed to “vet two proposed privacy best practices for facial recognition,” the report states. “Today was extremely productive as a diverse group of stakeholders made clear steps toward establishing facial-recognition technology policies and regulations that foster transparency, control and closure,” said NetChoice’s Carl Szabo. “I think we all agree that companies using facial-recognition technologies should provide people with meaningful control when their facial image data is shared with others,” he added. [Multichannel News]

WW – Keystroke-Monitoring Identified as Anonymity Threat

Monitoring a user’s keystrokes, “a sort of digital fingerprint that can betray its owner’s identity,” has been identified by security researchers as a threat for Tor users. “The risk to anonymity and privacy is that you can profile me and log what I am doing on one page and then compare that to the profile you have built on another page,” said security researcher Runa Sandvik. “Suddenly, the IP address I am using to connect to these two sites matters much less.” Researchers Per Thorsheim and Paul Moore developed a Chrome plugin to ward off these attacks. “For oppressive regimes, this is most certainly of high interest,” Thorsheim said. [Ars Technica]

WW – Phones Help Detect Depression Symptoms

A Northwestern University Feinberg School of Medicine study has found that tracking consumers’ smartphone usage could indicate with 86% accuracy whether or not they were depressed. Northwestern Center for Behavioral Intervention Technologies Director David C. Mohr, dubbing phones part of the “fabric of people’s lives,” found the study important as it indicated that critical mental health information may be gleaned “without asking (patients) any questions.” He continued, “We now have an objective measure of behavior related to depression. And we’re detecting it passively. Phones can provide data unobtrusively and with no effort on the part of the user.” [Full Story]

Canada

CA – Foreign Visitors to Canada to Face Electronic Screening

Millions of travellers will soon face another layer of red tape when they try to visit Canada. Starting Saturday, Ottawa will start accepting applications for electronic travel authorization (eTA) from people who wish to travel to Canada by air. Prospective travellers have until March 15 to submit their biographic, passport and other personal information through Citizenship and Immigration Canada’s website for pre-screening or face being denied entry when the border enforcement kicks in. The new measure — part of the harmonization with the United States’ travel security system — will apply to most air passengers, including all applicants for study and work permits, as well as those who come from countries that currently do not require a visa to come to Canada. Critics view the initiative as another attempt to block refugees from arriving on Canadian soil and raise concerns over the use of the data in storage. [Source] See also: [Mondaq News: Canada: Data Protection Agreements]

CA – Ottawa Says Little About CSIS Document Breach Claimed by Anonymous

The federal government is saying little about an apparent breach involving classified information. Digital hacking collective Anonymous made good late Monday on a threat to release what it says is the first of many secret documents. An apparent Treasury Board memo about funding of the Canadian Security Intelligence Service’s overseas communications capabilities was posted online. The Canadian Press could not confirm the document’s authenticity and Jeremy Laurin, a spokesman for Public Safety Minister Steven Blaney, had no immediate comment. In an accompanying video statement, Anonymous denounced the recent shooting of an Anonymous supporter in British Columbia during a confrontation with the RCMP. [The Star] [RCMP national website goes offline, Anonymous claims responsibility]

CA – Manitoba WRHA Putting Personal Health Info at Risk

The Winnipeg Regional Health Authority’s cybersecurity “weaknesses” threaten to allow personal health information to fall into the wrong hands, according to Manitoba’s auditor general. Auditor General Norm Ricard’s report found sensitive patient information can be accessed by personal flash drives, laptops, smartphones and tablets, so-called “end-user devices” that aren’t properly protected.  Ricard noted that more than 3,900 personal devices are now connected to WRHA emails, which could potentially include personal health information. Flash drives are also a concern. Manitoba’s auditor general made the following 12 recommendations to the Winnipeg Regional Health Authority to enhance cybersecurity:

  1. Identify and assess all risks associated with end-user devices in the WRHA environment
  2. Share assessment results with WRHA CEO and document residual risks
  3. Implement controls to reduce risks associated with end-user devices
  4. Develop a strategic plan for information and communication technology services to the WRHA, including plans for remote access through personal devices
  5. Create an information classification scheme based on the sensitivity of information
  6. Develop guidance for Personal Health Information Act (PHIA) trustees on how to audit their security safeguards
  7. Monitor trustees’ compliance with PHIA’s audit of security safeguards requirements
  8. Develop a risk-based audit program
  9. Update information security training to target higher risk positions and outline incident procedures
  10. Require associated physicians, medical staff, contractors, students, researchers and employees periodically attend PHIA awareness training
  11. Require same individuals to attend security awareness training upon hiring
  12. Implement additional information security awareness techniques to reinforce training

The WRHA said it is committed to making all of the changes and some are already underway. [The Winnipeg Sun]

CA – Medical Marijuana Class Action Certified by Federal Court

The Federal Court of Canada has certified a class-action lawsuit involving 40,000 people in the medical marijuana access program. The case was launched in 2013 after Health Canada sent letters to people with the program’s name on the envelope. Before that, mail sent to individuals in the program didn’t mention marijuana. Recipients were upset, saying their privacy had been violated. Some said they worried they’d lose their jobs or become victims of a home invasion. In March this year, the Office of the Privacy Commissioner of Canada ruled that Health Canada had violated federal privacy laws. That ruling didn’t allow for any compensation. In a press release, the Halifax law firm that launched the case says the certification shows the Federal Court has decided the class-action lawsuit is necessary to allow people access to justice. The plaintiffs are seeking damages for breach of contract, breach of confidence, invasion of privacy and charter violations.  The federal government now has 30 days to appeal the Federal Court’s certification. [Source] See also: [Canadian Appeals Monitor: Overview of Ontario Court of Appeal ‘s Decision in Hopkins v. Kay] SEE ALSO: [RCMP overrides rights of bereaved families: Editorial]

CA – TPP Likely to Force Canada to Repeal Local Data Protection Laws

U.S. negotiators are pushing hard to eliminate national laws in TPP countries that require sensitive personal data to be stored on secure local servers, or within national borders. This goal collides with the B.C. Freedom of Information and Privacy Act and similar regulations in Nova Scotia, which are listed as “foreign trade barriers” in a 2015 United States Trade Representative (USTR) report. According to that report, the B.C. privacy laws “prevent public bodies such as primary and secondary schools, universities, hospitals, government-owned utilities, and public agencies from using U.S. services when personal information could be accessed from or stored in the United States.” Irrespective of your views on whether such local storage requirements are reasonable or not, what’s significant here is that TPP, ostensibly a trade agreement, may force Canada to repeal local privacy laws. That fact underlines why the secret nature of the negotiations is profoundly anti-democratic: matters are being decided behind closed doors that should rightly be debated openly.  [Techdirt] [Pacific trade deal could raise health costs, lower privacy protection: Geist]

CA – File Breach at Electronic Spy Agency Prompts Mandatory Privacy Training

Canada’s electronic spy agency introduced mandatory privacy awareness training for all employees in March following an internal breach involving personal information. When Greta Bossenmaier became chief of the Communications Security Establishment in February, the ultra-secret eavesdropping outfit was under intense public scrutiny over alleged spying on citizens. But less than two months into the job, Bossenmaier was informing the spy agency’s staff of a privacy violation inside its own walls. [The Canadian Press ]

CA – Ontario Hit With Hundreds of Privacy-Breach Complaints

Ontario has been hit with more than 200 privacy complaints about the mishandling of personal information by the provincial government or its agencies over the past 18 months, according to the information and privacy commissioner. Most of them can be chalked up to human error or computer glitches, but the common thread in the complaints is that detailed personal information ended up in the wrong hands. As recently as last week, a misdialed fax machine was blamed for a privacy breach affecting hundreds of Ontario Disability Support Program recipients in Hamilton.  In 2014 the Information and Privacy Commissioner’s office received 61 reports of breaches from provincial ministries and government agencies, and 73 from individuals, plus nine others that the office initiated on its own, Beamish said. This year so far there have been 29 from ministries and agencies, 35 from individuals and four self-initiated. [The Toronto Star]

CA – Complaint filed with Ontario Press Council

The Ontario Press Council has received a complaint against Bullet News Niagara. The complaint is for a story the online media outlet published last week about an anonymous poster, whose identity became known to his employer and ultimately led to the employee losing his job. [Source]

CA – Other Canadian Privacy News Roundup

Consumer

US – Study: Consumers Want To Know If Companies Are Collecting Data

An Annenberg School for Communication study indicates consumer support for the trade of their data for discounts is largely “overstated.” The survey found 91% disagree and 77% strongly disagree that “If companies give me a discount, it is a fair exchange for them to collect information about me without my knowing,” the report continues. “By misrepresenting the American people and championing the trade-off argument, marketers give policy-makers false justifications for allowing the collection and use of all kinds of consumer data often in ways that the public find objectionable,” the report stated. “Data collection in itself isn’t inherently evil, but companies have to be more forthright about what they are doing because customers are watching,” Digital Clarity Group’s Tim Walters said. [TechCrunch] See also: [Big Data Knows You Like Losers] and [Men who harass women online are quite literally losers, new study finds]

US – Tool Diagnoses Severity of Leaked PI

The New York Times published an online tool to gauge not only which elements of your personal information have been leaked but also how many times it was accessed by hackers depending on your online registrations, purchases or enrollments with companies such as Target, Anthem or Neiman Marcus. “How can you protect yourself in the future? It’s pretty simple: You can’t,” the report states. “But you can take a few steps to make things harder for criminals,” like two-factor authentication, frequent password updates and encryption. The report also includes links to each breached corporation’s public statement regarding the hacks. [Full Story]

US – Sparapani Outlines “Consumer Data Compact”

ACLU and Facebook veteran Tim Sparapani outlines a “Consumer Data Compact” for the Digital Age. The “fundamental question” of the time, he writes, could be, “Are businesses returning at least as much, if not more, value to their customers from using their data than the businesses obtain from that data? Answering this question can allow both businesses and regulators to evaluate the privacy impact of products and services.” He continues, “When businesses are able to answer this question in the affirmative, they have aligned their interests with those of consumers. The FTC and state regulators should work to align its policy and enforcement work to incentivize companies to make just such an analysis.” [Forbes] See also: [Slate: Turning the Tables: A Privacy Policy from the Users] See also: [Why Netflix and HBO don’t care if they lose $500M a year to password sharing]

US – Digital Trust Foundation Grants $1.6M to Address Cyber Abuse

The Digital Trust Foundation (DTF) announced that it will award $1.6 million in grants for research, education and support for “understanding, preventing and responding to digital abuse.” DTF Board Member Larry Magid said, “Cyberbullying, cyberstalking, and other forms of digital abuse are far too common.” Three of the grants will go toward research on digital abuse related to cyberstalking and digital domestic violence; two will go toward abuse in schools; one will go toward creating an online platform for victims, while three more will focus on the legal system. [Full Story]

E-Government

HK – Personal Data Checks Fail to Register in Public Lists

Just one in 10 commonly used government public registers have safeguards against the misuse of private data, the Office of the Privacy Commissioner for Personal Data has found.  The 10 registers that it examined covered bankruptcies, births, business, companies, land, marriages, notice of intended marriages, licensed persons, vehicles and voters. Personal data available include identity card numbers, residential addresses and signatures on the companies and land and vehicles’ registration information.  Privacy Commissioner Allan Chiang Yam-wang said cyber bullying, financial loss and personal safety risks may ensue from people with malicious intent getting access to the information. “The ideal scenario would be that the legislation responsible for setting up the public registers is clearly defined,” Chiang said. The register of electors is the only public list in the survey that has legislative safeguards written in to guard against data misuse. Of 82 public register-related laws, only 32 state the purposes of the publication of the data. Just five of these 32 contain explicit measures against misuse of the data. Chiang said the Personal Data (Privacy) Ordinance cannot be fully applied to public registers as those are bound by corresponding legislations. [Pogo Was Right]

US – Clearer, More Stringent Cybersecurity Rules for Government Contractors

The White House wants government contractors to have strong, clear, and consistent rules for protecting sensitive data. Recent breaches underscore problems in the current contactor arrangements, including inconsistent data security standards in federal contracts as well as in various guidelines established by different agencies. A proposal for new rules will soon be available for public comment. [The Hill] [Amazon] See also [The blue pages conspiracy blues: Why Ottawa doesn’t want you to call]

US – White House to Release Vendor Data Policy

The White House will release a new policy that aims to create consistency amongst vendors and their storage of government data. “The increase in threats facing federal information systems demand that certain issues regarding security of information on these systems is clearly, effectively and consistently addressed in federal contracts,” an Office of Management and Budget notice states. Meanwhile, the Pentagon has chosen Leidos to handle the modernization of its electronic healthcare records. “We wanted to make sure we took adequate steps to protect the information that will be on this system, as well as the privacy of health care information,” said Undersecretary of Defense for Acquisition, Technology and Logistics Frank Kendall. [Nextgov]

E-Mail

US – Email Privacy Act Could Bypass Debate

With 291 cosponsors, the Email Privacy Act, which would modernize the 1986 Electronic Communications Privacy Act (ECPA), is in a position to bypass debate and move straight to approval. “When ECPA was written, the Internet as we understand it did not exist,” said Rep. Kevin Yoder (R-KS), author of the Email Privacy Act. “Only 340,000 Americans even subscribed to cell-phone service. Mark Zuckerberg was only two years old. But as our society and technology has evolved, our digital privacy laws remain stuck in 1986. With our bill now receiving the support of a veto-proof majority of the House of Representatives, the time has arrived to fix that.” [Multichannel]

Encryption

US – Dept. of Commerce to Revisit Wassenaar Export Rules

A US Department of Commerce spokesperson said that the government plans to revise export controls on hacking tools after members of the information security community spoke out against the government’s first iteration of the rules, required by the Wassenaar Arrangement. The rules are aimed at restricting the export of cyber tools that could be used for malicious purposes. Security experts have said that the rules would have a chilling effect on research. [The Register]

PL – Pakistan Bans Blackberry Enterprise Server

Pakistan’s Ministry of the Interior has issued a notice to the Pakistan Telecommunication Authority (PTA) to order telecommunications companies that serve that country to stop access to BlackBerry Enterprise Services as of December 1, 2015. The directive was issued “for security reasons,” according to a PTA spokesperson. [The Register] [v3.co.uk] [ArsTechnica]

EU Developments

EU – EDPS Provides Detailed Recommendations for Final GDPR Text

As the trilogue process continues toward a final draft of the EU’s proposed General Data Protection Regulation, the European Data Protection Supervisor has not stood idly by. Today, the EDPS released a detailed draft of its own, creating a new “fourth text” for the trilogue process to consider. Further, it has released its own mobile app that allows one and all to both read its recommendations and compare all of the texts against one another. [Privacy Tracker]

EU – Data Privacy Chief Criticizes Air Passenger Bill

EU data privacy chief Giovanni Buttarelli has said a forthcoming law gathering detailed information on air passengers is too invasive and is unlikely to stop terrorism. Buttarelli said it makes more sense to target specific categories of flights, passengers, and countries. “I’m still waiting for the relevant evidence to demonstrate, even in terms on the amount of money, and years to implement this system, how much it is essential,” he said. His comments come after MEPs in the civil liberties committee on 15 July agreed a legislative proposal that will allow the collection of detailed information – such as credit card details and addresses – of all people flying in and out of the EU. Buttarelli is due to give a formal opinion on it in September. [euobserver.com]

UK – High Court: Parts of Data Retention Law Illegal

The UK High Court has struck down a key provision in the nation’s surveillance legislation. The Data Retention and Investigatory Powers Act (DRIPA) was considered “emergency” legislation after the EU’s highest court struck down the EU data retention directive. DRIPA required communications providers to retain customer data in case intelligence services needed to investigate crimes. The UK High Court  agreed with MPs David Davis and Tom Watson that the law did not include enough privacy or data-protection safeguards. Sections 1 and 2 of DRIPA were found unlawful on the basis that:

  • they fail to provide clear and precise rules to ensure data is only accessed for the purpose of preventing and detecting serious offences, or for conducting criminal prosecutions relating to such offences.
  • access to data is not authorised by a court or independent body, whose decision could limit access to and use of the data to what is strictly necessary. The ruling observes that: “The need for that approval to be by a judge or official wholly independent of the force or body making the application should not, provided the person responsible is properly trained or experienced, be particularly cumbersome.”

The government has nine months to rewrite the law, and the Home Office said it will appeal the ruling. [Politico EU] [UK High Court smacks down ’emergency’ UK spy bill as UNLAWFUL]: Government has until March 2016 to write new legislation]

EU – Google Changes User Consent Policy to Comply With Cookie Reg

Google has announced a change to its user consent policy, which will affect website publishers using Google products and services including Google AdSense, DoubleClick for Publishers and DoubleClick Ad Exchange. Google says that under the new policy, publishers will have to obtain EU end-users’ consent before storing or accessing their data. The change is in direct response to the EU’s cookie compliance regulation, the report states, and follows Google’s CookieChoices website, launched earlier this month. The site was launched to help digital publishers obtain tools and access other resources in their endeavor to gain user consent. [TechCrunch]

EU – Google Appeals CNIL’s RTBF Order

Google is appealing the CNIL’s formal notice that the company honor right-to-be-forgotten requests globally. In a blog post, Google Global Privacy Counsel Peter Fleischer writes, “We’ve worked hard to implement the right-to-be-forgotten ruling thoughtfully and comprehensively in Europe, and we’ll continue to do so … But as a matter of principle, we respectfully disagree with the idea that a national data protection authority can assert global authority to control the content that people can access around the world.” Fleischer also suggests a global implementation would have a “chilling effect” on the Internet. Meanwhile, in the U.S., the Association of National Advertisers is urging the FTC to dismiss a Consumer Watchdog complaint that claims not honoring takedown requests is an unfair and deceptive trade practice. [Full Story]

EU – AEPD Names New Director

The Council of Ministers on Friday announced that Mar España Martí has been named the new director of the Spanish Data Protection Agency (the AEPD). She replaces José Luis Rodríguez Álvarez, who served in the role for four years. The new director, according to a press release in Spanish, is a lawyer and civil servant with extensive experience working on the protection of human rights. Her work with the presidency has included a focus on electronic administration and information security, promoting quality of data and transparency efforts in the Spanish government. She will serve a term of four years as the head of the AEPD. Rodríguez reports that he will return to his work at Universidad Complutense de Madrid and will remain active with data protection issues. [Full Story]

EU – Nymity Announces New EU Headquarters, New Roles

Nymity has announced it will open a new European headquarters in London, UK, and Lauren Reid will assume the role of director of EU privacy solutions. Reid has worked for two years at Nymity’s corporate headquarters in Toronto, Canada. “I am excited for the opportunity to be on the ground in Europe during what promises to be an eventful fall, with the EU regulation just around the corner and evolving expectations for the privacy office,” Reid said. Nymity President Terry McQuay said the London expansion gives the company an opportunity “to further our commitment to EU data protection and accountability.” Nymity has also announced it is welcoming Jorge Molet in the newly created post of Privacy Research Lawyer, Latin America. [Full Story]

EU – Ireland: Right to Access Birth Cert For Up to 50,000 Adopted

As many as 50,000 adopted people will have the right to their birth certificate for the first time under new legislation being drawn up by the Government. The Adoption (Information and Tracing) Bill, due to be discussed at this week’s Cabinet meeting, is expected to operate retrospectively and will apply to all future adoptions.  At present many adoptees are unable to access birth certs listing their original parents’ names due to legal obstacles, including a constitutional right to privacy on the part of birth parents. To help resolve this, adopted people would be required to sign a statutory declaration obliging them to respect the wishes of birth parents in cases where they do not wish to be contacted. This mechanism is regarded by those involved in drafting the legislation as a way of striking a balance between the right to privacy of birth parents and the identity rights of adopted people. [Irish Times]

EU – European News Roundup

Facts & Stats

WW – Average Black Market Identity Cost? Twenty Bucks

The going rate for a stolen identity is about $20. That’s according to Quartz, which analyzed listings for a full set of someone’s personal information—known as “fullz”—on the black market, using data collected by dark web search engine Grams. More than 600 listings came up, some identities including credit card information, some not. The listings ranged in price from less than $1 to about $450, the report states—the median price being $21.35. The most expensive identity, from a vendor called “OsamaBinFraudin,” came for $454.05, because, the vendor said, the identity came with a high credit score. Another identity, selling for $248.22, came with an American Express card with a $10,000 limit. [Full Story] See also: [Why Russian Cybercrime Markets Are Thriving]

Finance

WW – Apple Proposes Ads Based On Your Credit Balance

Apple has once again aimed squarely at the FinTech market and followed up its recent patent application for P2P banking with another: e-commerce advertising based on your available bank balance. With it’s latest filing with the USPA, Apple is looking at a; “Method and system for targeted advertising of goods and services to users of mobile terminals, based for example on the users’ profile. Goods and services are marketed to particular target groups of users sharing a common profile which may be selected to increase the likelihood of the users responding to the advertisements and purchasing the advertised goods and services. The common profile of users may be based on the amount of pre-paid credit available to each user. An advantage of such targeted advertising is that only advertisements for goods and services which particular users can afford, are delivered to these users.” [Forbes]

FOI

EU – Privacy Trumps Journalistic Freedom, European Court Rules

The European Court of Human Rights (ECHR) has ruled that journalists can be prevented from publishing publicly available information in cases where a person’s right to privacy is violated. In the case of Satakunnan Markkinapörssi and Satamedia v. the Republic of Finland , the ECHR decided that the Finnish magazine could be prevented from publishing publicly available tax data in order to protect the privacy rights of individuals. Finland’s data protection ombudsman advised the companies to stop publishing such data, but the companies felt it violated their freedom of expression. Pinsent Masons’ Ian Birdsey said, “The case highlights the difficulties that the courts often face when seeking to balance competing rights,” adding, “It will be interesting to see how the courts will assess the ‘public interest value’ on a case-by-case basis.” [Out-Law.com]

US – US Census Bureau Data Dump

Cyber activists have taken information from servers used by the US Census Bureau and made the data available online. The compromised data do not include citizens’ census records, but instead they include information about Census Bureau employees, including email addresses, password hashes, and the IP addresses from which they last logged in. Much of the information was already accessible online. [The Register] [NextGov]

Genetics

WW – Genetics Company, Pharma-Research Looking to Extend Lifespan

Personal genetics company AncestryDNA has announced a partnership with Google-owned biotech firm Calico. AncestryDNA, the genetic branch of Ancestry.com, has a “massive database of genetic information on its paying customers” to help Calico search for genes that affect lifespan and potentially develop drugs to lengthen it. The partnership is just the latest in a growing trend. For example, genetics company 23andMe recently partnered with Pfizer. “The logic behind these partnerships is clear,” the report states, as the genetics companies collect and store DNA swabs participants have consented to, which is valuable for research, while “typically, it takes a lot of cajoling to get people … to part ways with their biological bits.” [Wired] See also: [Kuwait DNA tests violate right to privacy: HRW] and See also: [indiatimes.com: Is the Upcoming DNA Profiling Bill The End of Physical Privacy?]

Health / Medical

US – Healthcare Org Calls for Improved Privacy Laws

It’s time for Congress to sophisticate both “our antiquated medical privacy laws and … our technological capabilities,” Health IT Now Coalition Executive Director Joel White writes, citing a whitepaper from the organization. “We call on Congress to systematically review the costs and benefits of privacy laws in light of recent scientific and technical advances,” White writes. “There are less burdensome models for protecting privacy—we use them every day.” He also considers HIPAA, arguing, “Enforced by a punitive regime of fines and jail terms, HIPAA elevates even the most mundane health records to the level of national security secrets.” [The Hill] See also: [Software turns smartphones into tools for medical research]

US – Halamka and McGraw: HIPAA Helps Patients

Beth Israel Deaconess CIO John Halamka and Office for Civil Rights Deputy Director for Health Information Privacy Deven McGraw write that HIPAA is neither as antique nor as cumbersome a regulation as recent critiques make it out be. “Although intersecting federal and state laws on this topic can often be confusing and are a significant source of frustration, providers should still seek to avoid over-interpreting,” Halamka and McGraw write. “Low tolerance for risk with respect to compliance with privacy laws can … actually impose significant risks on patients … there no longer needs to be a tradeoff between privacy and safety.” [FierceHealthIT]

US – Advocates Say Legislation is Problematic

Patient Privacy Rights’ Deborah Peel believes recent legislative moves such as the 21st Century Cures bill lack innovation and put the patient second. “The problems of interoperability of data, the 21st Century Cures bill and the calls to create a national patient identifier are all proposals to solve today’s problems with yesterday’s technology—pressure to open up commercial use of health information. This doesn’t have anything to do with research and cures,” Peel said. “The promise of electronic health information was supposed to be to help with treatment, not to create massive, hidden business models where people are using your data for purposes we don’t even know about,” she added. [FierceHealthIT]

US – The Many Misinterpretations of HIPAA

There are many ways that “people use, misuse or abuse HIPAA.” For example, in 2012, a woman called a Pennsylvania hospital to alert staff of her mother’s medical history, only to have the staff refuse to take the information, citing HIPAA. As a result, her mother was nearly given a medication to which she was allergic. In such scenarios, said Carol Levine of the United Hospital Fund’s Families and Health Care Project, HIPAA has become “an all-purpose excuse for things people don’t want to talk about.” Rep. Doris Matsui (D-CA) has introduced legislation that would clarify the law, noting “it’s just misunderstanding what is and isn’t allowed under HIPAA.” [The New York Times]

US – Court Upholds Waiver of Privacy Rights in Malpractice Suits

A Florida appeals court upheld the constitutionality of a controversial change in Florida’s medical-malpractice law, “ruling in part that some privacy rights are waived when people pursue malpractice lawsuits.” The decision stems from a 2013 law that requires patients to sign forms authorizing “ex-parte communications” before filing malpractice claims. Emma Gayle Weaver filed a challenge to the law, arguing it violates the right to privacy in medical-malpractice cases. But the three-judge panel wrote in its decision that any privacy rights pertaining to medical information “are waived once that information is placed at issue by filing a medical malpractice claim.” [Orlando Sentinel]

US – Court Examining Pocket-Dial Privacy Implications

The U.S. Court of Appeals for the Sixth Circuit has found no expectation of privacy for Cincinnati/Northern Kentucky International Airport Board Chairman James Huff, who inadvertently dialed a coworker, Carol Spaw, who recorded Huff’s conversation with his wife and another board member about personnel matters, noting he “failed to take ‘simple and well-known measures’“ to protect against pocket-dials. However, the court “revived Bertha Huff’s claims, finding she had a privacy expectation even if she was aware that her husband’s phone could accidentally make phone calls,” the report states, sending the case back to district court to determine if Spaw’s actions “met the standard for an ‘intentional use of a device’ to intercept Bertha Huff’s statements.” [The National Law Journal] See also: [US – Privacy and the Data Toothpaste Problem]

US – Uncertainty Surrounds 21st Century Cures Bill

Wiley Rein’s Kirk Nahra discusses the 21st Century Cures Bill, recently passed by the House of Representatives. Two of the bill’s provisions, Nahra says, raise a lot of questions about whether they’re good ideas and address problems that need to be dealt with on HIPAA’s privacy rule. One provision, for example, allows for disclosures of health information for research purposes to pharmaceutical companies and medical device manufacturers and “seems to allow these companies to pay an unlimited amount of money to obtain that data,” Nahra notes, adding, “Usually you can’t pay for protected health information, so that’s … creating some significant potential privacy concerns.” [Healthcare Info Security]

US – Appeals Court: Neiman Marcus Suit Can Proceed

In a reverse of a previous ruling, the U.S. Court of Appeals in Chicago found that victims of the 2013 Neiman Marcus LLC data breach will be able to sue the corporation. Unlike U.S. District Judge James B. Zagel’s initial ruling, the court found victims could indeed measure “concrete injuries” and therefore had grounds for a suit, believing that “unreimbursed payments weren’t the only possible harm” and “citing the cost of credit monitoring and the hackers’ ability to use the fraudulent data for years,” the report states. “Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities,” the court said. [Bloomberg Business]

UK – NHS Official Demands Details of Millions of Confidential Appointments

A top health official has demanded confidential details of millions of GP appointments. Sparking yet another NHS privacy row, she has ordered the firm in charge of bookings at most English surgeries to hand over the sensitive data urgently. The information includes the date, time and duration of appointments as well as the reason for the consultation. Most of the postcode of the patient is also asked for, as well as their date of birth. The information is intended to gauge demand for the Government’s planned seven-day NHS. But privacy campaigners say it is incredible that neither patients nor their GPs have been consulted about the move. They warned there was enough information within the files for patients to be identified. [The Daily Mail]

Horror Stories

US – OPM, Anthem Hackers May Have Breached United Airlines

The same hacking group that stole sensitive records from the Office of Personnel Management (OPM) and Anthem also breached United Airlines. Manifests were compromised, which include passenger names, travel times, arrivals and departures. Security professionals believe such data can be cross-referenced with other data stolen from Anthem and the OPM to create detailed maps of U.S. citizens and increase the possibility of advanced and precise targets for blackmail and espionage. United Airlines is also one of the biggest airline contractors with the U.S. government, “making it a rich depository of data on the travel of American officials,” the report states. [Bloomberg Business]

US – Planned Parenthood Says Hackers Trying to Steal PI

Planned Parenthood announced Monday that anti-abortion hackers are attempting to breach the organization to access and potentially expose sensitive data on its employees. Planned Parenthood Executive Vice President Dawn Laguens said the attempts are a “gross invasion of privacy” that could put its staffers at risk. “Planned Parenthood has notified the Department of Justice and separately the FBI that extremists who oppose Planned Parenthood’s mission and services have launched an attack on our information systems,” she said. An adversary called “E” has taken some credit for the attack. Hackers have also threatened to release more information, including internal emails, though it hasn’t been confirmed if such data has been accessed. [The Hill] [Planned Parenthood confirms attack from anti-abortion hackers]

US – Class-Action Filed Over Data Theft

Experian is the target of a class-action lawsuit alleging it “failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves.” Hieu Minh Ngo, who used the guise of a private investigator to gain access to Experian-owned Court Venture’s 200 million profiles, was recently sentenced to 13 years in prison. Ngo scammed victims out of “$65 million in fraudulent individual income tax returns,” the report continues, noting plaintiffs are suing for complimentary credit monitoring as well as a fund “for reimbursement of the time and out-of-pocket expenses they incurred to remediate the identity theft and fraud caused by customers of Ngo’s ID theft service.” [KrebsOnSecurity]

US – Health System Faces Potential Class-Action

Children’s National Health System is facing a potential class-action lawsuit following the hack of up to 18,000 patients’ personal data last year. Patient Fardoes Khan filed the suit after being informed her data was compromised. [Washington Business Journal]

US – Insurer and State Program Announce Breaches

In New York, insurance payer Healthfirst is notifying members of a data breach affecting approximately 5,300 individuals, and, in Georgia, approximately 3,000 clients of Community Care Services Program are being notified that the state’s Division of Aging Services program inadvertently emailed their personal data to a contracted provider not authorized to view the information.

US – More Stores Shut Down Photo Centers

CVS recently disabled its online photo center following news of a potential breach through PNI Digital Media, following a similar action by Walmart in Canada , and now other stores in the U.S. and UK—including Rite Aid, Sam’s Club and Tesco’s—have moved to the do the same after PNI, which either manages or hosts the sites, examined the possible extent of the breach. “We take the protection of information very seriously,” said Kirk Saville of Staples, which purchased PNI last year. “PNI is investigating a potential credit card data issue, and outside security experts are assisting in the investigation,” he continued. “The retailers’ main websites and other services were not affected by the potential breach,” the report states. [Reuters] [Hacking fears close photo websites]

WW – Anonymous Behind Census Bureau Hack

“Online activist collective” Anonymous took credit for the United States Census Bureau’s hack and subsequent data leak, citing displeasure with the “secretive” drafting of the Trans-Pacific Partnership (TPP) and Transatlantic Trade and Investment Partnership (TTIP) agreements as its impetus. The Census Bureau deemed the information released by Anonymous as “non-confidential,” the report continues. “Security and data stewardship are integral to the Census Bureau mission,” the organization said in statement. “We will remain vigilant in continuing to take every necessary precaution to protect all information.” [The International Business Times] [CA – Public service labour board taken offline after breach discovered last week

US – Class-Action Filed Following UCLA Breach Admission

Following UCLA Health’s admission last week that it had been hit by a massive data breach in May, a former patient has filed a class-action lawsuit in U.S. District Court claiming the health system broke its contractual obligations to protect patients’ data. Allen filed the suit on behalf of “several millions of individuals,” the report states, claiming personal data entrusted to the hospital was “left in an unencrypted state and stolen by cyber thieves.” Meanwhile, in an op-ed on The Hill’s Congress Blog, attorney Karla Grossenbacher makes the case for a single, federal standard on data breach notification. [ConsumerAffairs]

US – Senate Votes to Fund OPM Victims, Not OPM

The Senate Appropriations Committee voted to provide the 22 million-plus victims of the OPM hack with 10 years of credit monitoring and a $5 million fund for damage reparation, but did not vote in favor of providing the organization itself with additional funds. The affected’s “vulnerability will go on for a number of years,” said Sen. Barbara A. Mikulski (D-MD), who introduced the amendments based on the proposed RECOVER Act. “They deserve our protection.” But some feel more work needs to be done. Sen. John Boozman (R-AR), himself a victim of the hack, has called for additional hearings, adding, ”this is something that our country has to get straight.” [Roll Call]

US – OIG Finds Lack of Cybersecurity Tech and Training Among Reasons for Breach

In a newly released study, the Office of the Inspector General (OIG) identifies the U.S. Postal Service’s “undertrained employees, lack of accountability for risk acceptance decisions, ineffective collaboration among cybersecurity teams and continued operation of unsupported systems” as contributing factors to its data breach in 2014, which affected 2.9 million people. “Although USPS was in compliance with fundamental legal and industry requirements, it did not have a security operations center providing round-the-clock incident analysis and response,” the report continues, adding that the agency is moving to update its cybersecurity technology. Meanwhile, a new ruling mandates that the Inspector General must gain permission to obtain sensitive information from the organization it audits, a move that “significantly impaired“ the role, said Inspector General Michael E. Horowitz. [FierceGovernmentIT]

US – Ashley Madison Site Followed Standard Practice. That’s Bad

On the hack of the controversial Ashley Madison website, known for promoting extramarital affairs, the site followed standard web security practices and failed to implement simple privacy and security design features, making such a breach “inevitable.” The site’s password-reset feature allowed other users to see who used the site, for one, and the site kept real names and addresses on file. Johns Hopkins Cryptographer Matthew Green makes the point that customer data is often a liability and not an asset. Ashley Madison’s site also charged users $19 to delete their data, “a practice that now looks like extortion in the service of privacy.” A column in The Washington Post states that the breach should be a “warning to all of us—cheaters or not.” [The Verge] [Online Cheating Site AshleyMadison Hacked] [Privacy sacred, even for the unscrupulous]

WW – Health System, Adultery Site, Photo Center Breached

UCLA Health System’s computer network sustained a data breach in which as many as 4.5 million unencrypted personal health records were accessed. Patient Privacy Rights’ Deborah Peel said, “These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links.” In a separate breach , hackers claim to have in their possession the personal information of 37 million users of AshleyMadison—a website that connects people who want to have extramarital affairs. The hackers, reports journalist Brian Krebs, have said they will release personal data until the site, along with other Avid Life Media sites, are taken down. In yet another data breach, CVS shut down its online photo center after an intrusion may have accessed customer credit card information. [Los Angeles Times] [Sask. Cancer Agency employees snooped on 48 patients] [SK: Snooping cases worry privacy commissioner] See also:  [CA – NB Horizon notifying patients after laptop stolen in Fredericton: Stolen laptop contained Medicare information and was not password protected] See also: [Misdialed fax number led to privacy breach, Liberals say: A wrong fax number resulted in privacy breach in Hamilton affecting some 500 recipients of disability payments]

US – BCBS Post-Breach Response May Set New Precedent

Blue Cross Blue Shield’s move to provide complimentary identity monitoring to the 106 million victims of its recent breach “for as long as they’re enrolled in the plans’ insurance coverage” may set a new breach-response precedent. As corporations usually extend monitoring for one or two years post-breach, the decision is seen as landmark. “Something like this may eventually become standard business operations,” said Medical Identity Fraud Alliance Senior VP Ann Patterson. However, it’s problematic as “it requires the data breach victim to affirmatively ‘opt in’—they aren’t automatically included, and it only lasts as long as you are insured by Blue Cross,” said Cohen & Malad’s Lynn Toops. [BankInfoSecurity] [UK – Morrisons data leak ‘a warning to companies’ about importance of fraud prevention policies says expert]

Identity Issues

EU – DPA: Facebook Can’t Change Pseudonyms to Real Names

In Germany, Facebook has been prevented from disallowing users to create accounts under false names. The Hamburg data protection authority has said the social network cannot change individuals’ chosen usernames or ask them to provide official identification, the report states. The ruling follows a woman’s use of a pseudonym for her Facebook account “to avoid unsolicited contact in relation to her business” that the social networking site changed to her actual name. Facebook has expressed disappointment with the ruling. “The use of authentic names on Facebook protects people’s privacy and safety by ensuring people know who they’re sharing and connecting with,” the company said. [BBC News]

US – De-Identify Data for Research’s Sake

The de-identification of healthcare data permits research innovation while not sacrificing patient privacy, noting, “both the healthcare and pharmaceutical industries are beginning to adopt this approach.” Eli Lily Office of Medical Transparency Director Ben Rotz notes, “As we have a set of rules that are followed, as we start to see standards in place for how the data are collected, then we’re going to start to see more and more technologies emerge that allow for a standard way to anonymize the data,” adding, “As more and more of that tends to happen, people can concentrate on the why and the what of what they’re doing instead of the how do they make it happen from a technology perspective.” [HealthITSecurity]

CA – Transgender Activist Wins Court Battle Over IDs

The Newfoundland and Labrador government will change the Vital Statistics Act to allow transgender people to change their birth certificate and government identification to match their gender identity. The change comes after transgender activist Kyra Rees in St. John’s took the provincial government to court in a battle to get her birth certificate to reflect the gender she identifies with. With legislative changes, Rees and other transgender people can go out in public without fear of ‘outing’ themselves because of the gender marker on their identification cards. Similar changes have been made in Ontario, Alberta, British Columbia and Manitoba. Changes will be made to the act during the next session of the House of Assembly. Rees is urging the province to convene a fall sitting in the House of Assembly so that there is no delay in passing the legislation. [CBC News]

US – Use Synthetic Data to Protect Census Data

Since the first U.S. Census was carried out in 1790, the Census Bureau has expanded its mission and now collects information about occupation, education, income and other personal data. The datasets are useful, but confidentiality becomes harder to preserve. A research team led by a Duke University Prof. Jerry Reiter and Cornell University Prof. John Abowd has developed an approach to solving this problem by using synthetic data or “simulated data generated from statistical models,” the report states. “A query that can be asked of the confidential data can also be asked of the synthetic data,” Abowd said. [Nextgov]

WW – Finding the De-Identification Middle Ground

De-identification plays a major role in protecting privacy while allowing for data to flow and constitutes a big part of a privacy pro’s toolbox. There have been robust debates about its feasibility and whether it’s even possible to truly de-identify data, but, earlier this month, the Future of Privacy Forum (FPF) and Ernst & Young held a workshop to work through these issues in an attempt “to drill down into some challenges that privacy pros face in (their) day-to-day practice.” FPF Policy Counsel Joseph Jerome recaps the event and includes insight from industry, practitioners, academics and regulators about striving toward a workable and practical de-identification solution. [Privacy Tech]

Internet / WWW

WW – UN Gives U.S. Failing Grade on Privacy

The U.S. scores very low on protecting its citizens’ privacy, according to a new United Nations Human Rights Committee Review. The committee’s midterm report cards for several countries, including Bolivia, Hong Kong, Norway, Portugal and the U.S., look at how well the countries have adhered to and implemented UN recommendations on the International Covenant of Civil and Political Rights. In several aspects of protecting privacy, the U.S. was graded “not satisfactory.” Specifically, the U.S. government has not established an adequate oversight system to ensure privacy rights are being upheld, the report states. [The Intercept]

Law Enforcement

CA – RCMP Tracked Toronto Activists With Fake Facebook Profile

Officers with the national police force used a Facebook profile to pose as a broke student so as to communicate with protest groups in Toronto, according to documents obtained under the Access to Information Act.  The social media account, which went by the name of Bebop Arooney and had a profile picture of three penguins frolicking on a beach, tracked the Facebook pages of more than two dozen organizations in Toronto, ranging from Black Lives Matter Toronto and Idle No More to the Ukrainian Canadian Congress. Six Jewish and Palestinian groups were also monitored. WWF wrestler Mick Foley also attracted the Mounties’ attention. A second RCMP social media account — @angrycitizen123 — followed Foley on Twitter. The RCMP confirmed it created both profiles but said they were not used for surveillance purposes. “The (Facebook) account mentioned was opened in 2005 for operational reasons, and since that time, the RCMP’s social media practices have changed and evolved and now we used an official media account for such purposes,” a spokesperson said. “The Facebook account is historical and no longer relevant.” The Facebook profile was deleted Thursday. The Twitter account is still online. “If there are no criminal investigation ongoing, then monitoring these groups is potentially problematic,” said Cara Zwibel, director of the Canadian Liberties Association’s Fundamental Freedoms Program. “Even though we think of social media as stuff that is out there in the public, the privacy commissioner’s office made it clear that it doesn’t cease to be personal information just because it is in that kind of forum.” The Facebook profile also appears to have contravened Facebook’s own terms of use. A spokesperson for the social media giant said bogus accounts, even those created by law enforcement agencies, are subject to removal. [Toronto Star]

Location

US – MAPPS Publishes Best Practices

Following the FTC request that companies “protect the privacy of individual citizens’ ‘sensitive’ data as outlined in its Protecting Consumer Privacy in an Era of Rapid Change report,” national private-sector geospatial firms association MAPPS has published its “Best Practices Guideline“ for handling users’ geospatial data, Directions Magazine reports. Announced during MAPPS’ yearly conference, the guidance provides assistance to companies when determining whether they “should obtain individual consent for collection of geospatial data and when it is not needed to protect privacy,” the report states. “This document helps engage in lawful, ethical and professional practice that is respectful of individual citizens,” said MAPPS Executive Director John Palatiello. [Full Story]

WW – Google Rolls Out User-Friendly Location History Tool

Google is rolling out a new “your timeline” feature for Google Maps in coming weeks “that is certain to thrill some folks—and horrify others.” The feature allows users to view their entire location history on Google Maps based on data pulled from devices upon sign-in to Gmail. Google says it’s a useful way to remember where you’ve been on any given point in time and that it’s only viewable to the user. [PCWorld]

Online Privacy

WW – New Operating System Brings Cheers and Privacy Concerns

With the rollout Wednesday of Microsoft’s new operating system, Windows 10, many praised its new features while others expressed concerns about user privacy. For those using Windows 7 or 8, the upgrade is free, but some are pointing out that comes with a privacy trade-off, as has been demonstrated in Microsoft’s new privacy policy and services agreement, the report states. Microsoft Deputy General Counsel Horacio Gutiérrez said the company’s new dashboard creates a “straightforward resource for understanding Microsoft’s commitments to protecting individual privacy with these services.” [Information Age] [Windows 10 may be free, but it comes at a huge price to your privacy] [Microsoft’s Windows 10: Some issues to consider before you upgrade]

WW – Microsoft to Honor Revenge Porn Takedown Requests

Calling it a “first step,” Microsoft announced it will honor takedown requests for so-called “revenge porn” in its Bing search engine and content access removal from Xbox Live and OneDrive upon a victim’s requests. “Much needs to be done to address the problem,” Jacqueline Beauchere wrote in a Microsoft blog post. “As a first step, we want to help put victims back in control of their images and their privacy.” The company has also set up a new reporting site for victims to inform Microsoft of particular photos or videos in question. Beauchere added, “It’s important to remember … that removing links in search results … doesn’t actually remove the content from the Internet—victims still need stronger protection across the web and around the world.” [Full Story]

WW – W3C: Fingerprinting, Supercookies Undermine Trust in the Web

In a new post, the World Wide Web Consortium (W3C) Technical Architecture Group (TAG) says digital fingerprinting, supercookies and other forms of pervasive tracking of users’ web behavior undermine trust in the Internet. “Tracking users’ activity without their consent or knowledge is … a blatant violation of the human right to privacy,” the post states. One of the group’s major concerns is that users have no means by which to prevent these “unsanctioned tracking” tools. Ad-tech companies have argued such tools are not privacy-invasive because they anonymize user data, but the TAG writes, “Unsanctioned tracking can be harmful even if non-identifying data is shared.” In a separate post in The Guardian, Felix Salmon opines that advertising technology is “killing the online experience” through privacy invasions and the excessive use of bandwidth. [MediaPost] See also: [US: The myth of online privacy]

WW – Most Android Phones at Risk From Simple Text Hack, Researcher Says

A security research company claims to have found a vulnerability baked into Android that could endanger nearly all devices running the popular mobile software. The flaw, says researcher Zimperium, exists in the media playback tool built into Android, called Stagefright. Malicious hackers could take advantage of it by sending to an Android device a simple text message that, once received by the smartphone, would give them complete control over the handset and allow them to steal anything on it, such as credit card numbers or personal information. So far, Zimperium told National Public Radio, the flaw has not been exploited, but in a blog post on its own website, it said that 95 percent of Android devices worldwide are vulnerable. [CNET] See also: [Thousands of Apps Secretly Run Ads That Users Can’t See]

WW – Adobe Aiming to Compete on Cross-Device ID Data

Adobe is working at its own cross-device ID that would aim to rival such platforms as Facebook and Google. The company has begun “actively recruiting co-op members” and has slated a beta release for November. Adobe’s privacy product manager told a group of consumers and partners on a recent conference call, “We are asking permission to use some of your anonymous data to build both a declared graph as well as a stitched graph to help fill in for situations where a consumer might not have signed in on a particular device.” But potential participants have cited concerns with how the co-op could conflict with current opt-out systems. [Ad Exchanger]

US – Senators Want FCC to Limit Info-Sharing

A group of senators wants the FCC to ensure that broadband providers do not share data about users’ web behavior without the users’ consent. “ISPs should gain affirmative express consent from consumers before using or sharing information beyond what a consumer would reasonably expect an ISP to use and share in order to deliver service and manage its networks,” wrote the group, which includes Sens. Ed Markey (D-MA), Richard Blumenthal (D-CT), Al Franken (D-MN), Patrick Leahy (D-VT), Ron Wyden (D-OR), Bernie Sanders (I-VT), Jeff Merkley (D-OR), Cory Booker (D-NJ) and Elizabeth Warren (D-MA). “This includes sharing information with affiliates, as well as for advertising or marketing purposes,” the senators added. [MediaPost]

US – White House Responds to Snowden, ECPA Petitions

The White House responded in separate statements to two petitions—the first calling for the pardon of Edward Snowden and the second calling for Electronic Communications Privacy Act (ECPA) reform. Regarding Snowden, the White House responded that his “dangerous decision to steal and disclose classified information had severe consequences for the security of our country,” adding, “He should come home to the United States and be judged by a jury of his peers.” However, the White House agreed with petitioners that “ECPA is outdated, and it should be reformed,” adding that while it won’t “endorse a single ECPA-reform bill at this time,” it is “encouraged by the strong bipartisan support for updating this legislation.” [Full Story] [After two years, White House says ‘no’ to petition asking for pardon of Edward Snowden]

US – The EFF Turns 25

The Electronic Frontier Foundation (EFF) celebrated its 25th birthday last week and the privacy community reflected on its colorful and impactful history. The report highlights some of the EFF’s landmark legal victories, such as the 1999 case in which the court agreed with the EFF that computer code was protected under free speech. Those within the industry expressed support and gratitude for the organization. “When the EFF is behind you, businesses have a fighting chance to protect their assets,” said Blancco Technology Group’s Paul Henry. “Many of the things that they have suggested are now considered best practices globally,” added Nok Nok CEO Phillip Dunkelberger. [CSO Online]

Other Jurisdictions

IN – Government: Citizens Have No Right to Privacy

The Modi government told India’s Supreme Court that citizens cannot invoke the concept of the fundamental right to privacy in attempts to scrap the Aadhaar national identity card program. Attorney General Mukul Rohatgi told Justice J. Chelameswar that the “constitution does not confer (the) right to privacy of citizens,” referring to a 1950s Supreme Court judgment in which eight justices ruled that citizens do not have such a right. Rohatgi added, “The law on right to privacy is vague in the country, and a larger bench should be constituted to pass an authoritative verdict on the issue. To be frank, question of violation of right to privacy does not arise when it does not exist.” [India Today]

AU – Immigration Department Sought Private Medical Records ‘for Political Reasons’

The personal medical records of asylum seekers have been handed over by International Health and Medical Services (IHMS) to Australia’s immigration department for “political purposes” and potentially in breach of privacy laws, according to leaked internal briefing notes from within IHMS. The revelations are contained in the meeting notes of a clinical directors’ meeting at IHMS on confidentiality in September 2013, obtained by Guardian Australia. In response IHMS and the immigration department strongly denied they had inappropriately provided or sought access to asylum seekers’ medical records. [The Guardian]

CN – Aliyun Publishes Data Protection Pact

At the first-annual Data Technology Day in Beijing, Aliyun, e-commerce company Alibaba’s cloud computing company, released its Data Protection Pact. “We aim to make cloud computing the engine of the data technology economy, and big data a driving force of economic development,” said Aliyun President Simon Hu. “Aliyun will continuously be committed to building a cloud-computing ecosystem to efficiently and securely serve global clients.” The document details Aliyun user rights, including the ability to “freely and safely access, share, exchange, transfer or delete their data at any time,” as well as the opportunity “to select whatever services they choose to securely process their data.” [MarketWatch]

WW – Asia-Pacific News Roundup

Privacy (US)

US – Appeals Court Overturns Neiman Marcus Dismissal

On Monday, July 20, the US Court of Appeals reinstated a liability case against Neiman Marcus for potential damage to consumers from the data breach that exposed data for 350,000 Neiman Marcus customers. The company acknowledged that at least 9,200 of those accounts were later used for fraud. This appears to be the first time an appeals court has recognized the actual damage associated with consumers having to research and repair credit card accounts after data breaches. [WSJ]

US – FTC Announces New Workshop on Lead Generation

The FTC announced it will host a new workshop on the increased use of lead generation across industries, including those in consumer lending and education. The FTC explained that lead generators “identify or cultivate consumer interest in a product or service, and sell the consumer ‘lead’ information to third parties.” In so doing, consumer leads often “contain sensitive personal and financial information” that travels through several businesses before reaching its final destination. The October 30 workshop will bring together representatives from industry, consumer advocacy and government to explore how lead generation works, what types may be unlawful, best practices and how consumers can avoid bad actors. [Full Story]

US – LifeLock Violated 2010 Settlement: FTC

The FTC has filed documents in U.S. District Court alleging identity-theft protection service LifeLock violated its 2010 settlement with the agency. The FTC alleges LifeLock made deceptive claims about its services, failed to implement a comprehensive information-security program to protect sensitive consumer data, falsely advertised that it protected customer data at a high level and did not meet the 2010 order’s bookkeeping requirements, an FTC press release states. “It is essential that companies live up to their obligations under orders obtained by the FTC,” said Consumer Protection Bureau Director Jessica Rich. “If a company continues with practices that violate orders and harm consumers, we will act.” The FTC voted 4-1 on the order, with Commissioner Maureen Ohlhausen in opposition. [Full Story] [FTC Charges LifeLock with Deception]

US – Senators Receive Millions of Faxes Protesting CISA

Opponents of legislation in the US Senate may have stalled a vote on the bill that aims to improve cyber threat information sharing between private companies and the government. Legislators were hoping to vote on The Cybersecurity Information Sharing Act (CISA) prior to the summer recess, which begins on August 10. A privacy advocacy group, Fight for the Future, sent more than six million faxes to Senate members protesting the proposed legislation. [ComputerWorld] [SCMagazine]

US – Trade Group, Privacy Advocates Launch Public-Facing Campaigns

Beginning next week and until August 28, trade group ACT-IAC is collecting recommendations from academia and the public and private sectors on ways to strengthen federal security. In September, the groups will submit the recommendations to the Office of Management and Budget and will release a public report outlining its findings. Meanwhile, operators behind the viral campaign “Operation: #FaxBigBrother” announced that concerned Internet users have generated more than 6.1 million faxes in opposition to the Cybersecurity Information Sharing Act, Fight for the Future has announced. The faxes were sent as part of a week of action organized by privacy advocacy and civil liberties groups. [NextGov]

US – Privacy Groups Turn to Fax Machines in Cyber Bill Fight

A broad coalition of civil liberties advocates and digital privacy groups have teamed up to create a one-week website — stopcyberspying.com — which lets anyone write up and send a fax to senators. Photos are optional. The move is part of the ongoing battle over a stalled cybersecurity bill that may hit the floor sometime later this week. The bill, known as the Cybersecurity Information Sharing Act (CISA), would boost the public-private exchange of data on hackers.  Industry groups and many in Congress believe the enhanced sharing of this type of information is necessary to help the country better understand and counter the growing cyber threat. But privacy advocates believe the measure would simply create another outlet for the government to collect sensitive data on Americans. The website calls CISA “a surveillance bill in disguise” and “the Darth Vader bill.” [Source]

US – RNC Offers Voter File to Presidential Candidates

The Republican National Committee (RNC) has offered to share its voter file with Donald Trump’s presidential campaign. The RNC has the names, voting history and consumer data of roughly 250 million Americans, the report states. The Trump campaign’s attorneys are reviewing the data-sharing agreement, which has been offered to all 17 of the Republican presidential candidates, 11 of whom signed off on it. The RNC said every indication points to Trump entering into the agreement. The RNC offer runs in contrast to the decision by political operation Freedom Partners, which denied Trump access to its voter data. [Yahoo Politics]

US – Trump Shares Graham’s Cell Number

At a Tuesday speaking engagement, Republican presidential hopeful Donald Trump took aim at political rival Sen. Lindsey Graham (R-SC) by releasing Graham’s personal cell-phone number, which led to an “influx of calls.” With Trump, Graham said, “nothing surprises me anymore. It’s just too bad, really,” adding, “I think the beginning of the end has come. The beginning of the end has arrived because he’s crossed a line with the American people that will not be tolerated.” When asked if he would confront Trump on his actions, Graham added, “What good would that do, calling (him)? I’m more worried about the Iran nuclear deal than I am Donald Trump.” [Politico]

US – Lawsuit Filed Over City’s Garbage-Snooping Law

Seattle’s recent law requiring garbage collectors to look through trash to determine no more than 10 percent is recyclables or food has sparked a privacy lawsuit. “In short, this program calls for massive and persistent snooping on the people of Seattle,” said the Pacific Legal Foundation’s Brian Hodges. “This is not just objectionable as a matter of policy; it is a flagrant assault on people’s constitutional rights.” Currently, violators of the law can expect to be fined anywhere from $1 to $50. “The law makes garbage collectors the judges and the juries,” Hodges told The Seattle Times. [KiroTV] [Does Seattle’s Trash Monitoring Violate Privacy Rights?]

UK – Supreme Court to Hear Google Appeal of Vidal-Hall

The England and Wales Court of Appeal delivered a decision in April that IAPP VP of Research and Education Omer Tene called “the European Judicial Privacy Decision of a Decade,” invalidating a section of the UK Data Protection Act and establishing affirmatively that “moral damage” is recoverable under privacy law. On Tuesday, however, the UK Supreme Court agreed to hear Google’s appeal of Google v. Vidal-Hall, and the impact of the decision will be wide-ranging. [The Privacy Advisor]

US – CISA Critics Speak Out

Sen. Ron Wyden (D-OR) argues that a classified 2003 National Justice Department memo has grave relevance to the ongoing debate on the Cybersecurity Information Sharing Act (CISA), which could potentially be voted on before the August recess. “I remain very concerned that a secret Justice Department opinion that is of clear relevance to this debate continues to be withheld from the public,” Wyden wrote. The senator isn’t the only one concerned about CISA, with groups like the ACLU and the EFF joining together to create stopcyberspying.com, a one-week only site that allows critics to send faxes to senators. “Congress is stuck in 1984,” the site states. “We’re going to communicate with it in a way it’ll understand: With faxes.” Meanwhile, the Senate Homeland Security and Governmental Affairs Committee is moving to enact additional anti-hacking legislation. [National Journal]

US – Gerstell Appointed as NSA’s General Counsel

Glenn Gerstell, a Washington, DC, attorney and “significant Obama fundraiser,” has been appointed as the NSA’s general counsel. While the move hasn’t yet been officially heralded, it’s already sparked debate. “His résumé shows no deep experience working with intelligence and national security issues that the NSA’s counsel contends with on a regular basis,” the report states. “That said, sources familiar with his appointment … noted that his experience running a large law firm would prepare him for overseeing the team of more than 100 lawyers in NSA’s general counsel’s office, who provide advice and guidance on everything from surveillance operations to contracts and procurement.” [The Daily Beast]

US – Appeals Court Rules Facebook Can’t Refuse Warrants

A New York state appeals court has ruled Facebook does not have the right to refuse search warrants for its users. “We continue to believe that overly broad search warrants—granting the government the ability to keep hundreds of people’s account information indefinitely—are unconstitutional and raise important concerns about the privacy of people’s online information,” said Facebook’s Jay Nancarrow. The court, however, “disagreed with Facebook’s claim that the federal Stored Communications Act gave it the standing to contest the warrants, saying the company had misinterpreted the law,” the report continued. [The New York Times]

US – Gunshot Detection System Prompts Privacy Concerns

While many believe ShotSpotter, SST’s new gunshot-detection program, is a breakthrough security offering, some are concerned with the privacy implications. Within 30 seconds of gunshot, the program’s microphones are able to distinguish the shot, analyze it and report it to law enforcement. Cities and college campuses are installing it in droves. However, “many have questioned whether ShotSpotter could constitute a fourth-amendment violation-warrantless search and seizure of public sounds,” the report states. “How can we be sure that the technology is in fact confined to listening for gunshots?” the ACLU’s Jay Stanley asked, adding, “How can we ensure that it won’t expand over time to more and more uses?” [The Guardian] [ShotSpotter: gunshot detection system raises privacy concerns on campuses]

US – Master’s in Cybersecurity Can Be Conduit to Lucrative Career

For students interested in pursuing a Master’s degree in cybersecurity, not only are more and more universities offering courses to that end, but the career path post-graduation is also proving to be increasingly lucrative and expansive. Schools like Carnegie Mellon University, Fordham University and the University of Southern California are among 10 schools profiled in the report, which notes that cybersecurity professionals had the eighth highest entry on the “100 best jobs for 2015” list. Additionally, “the profession is growing at a rate of 36.5% through 2022,” the report states. [CSO]

US – School District Discusses Body-Camera Policy

Iowa’s Burlington Community School District is considering student and teacher privacy implications as its school board works to define its new body-camera policy. “We hope to have a tool in place that will allow us to accurately address any issues or concerns that arise in our district,” said Director of Human Resources Jeremy Tabor. The board’s privacy considerations have run from “limiting the use of the cameras to student disciplinary situations” to “giving people the option to say ‘no’ to being recorded,” the report states. “We don’t want to rush this,” said Tabor. “We want to make sure we’re taking the proper amount of time to vet this and make sure we have a good, effective policy in place.” [Government Technology]

US –Legislators Want to Increase DHS’s Cyber Authority

US legislators have introduced a bill that would give the Department of Homeland Security (DHS) a greater role in overseeing the cyber security of federal agencies. The FISMA Reform Act would give DHS the authority to conduct risk assessments on federal networks and use defensive measures without the permission of an agency. [SCMagazine] [NextGov] [SCMagazine]

US – Legislation Aims to Establish Automobile Cyber Security Standards

US Senators plan to introduce legislation that would require cars sold in the country to meet certain cyber security standards. It calls for the National Highway Traffic Safety Administration and the Federal Trade Commission to establish those standards, which will include isolating critical systems from other parts of the vehicle’s network. The bill also includes provisions for customer data protection and privacy. [Wired] Earlier this year, members of the US House Energy and Commerce Committee write to 17 car manufacturers and the National Highway Traffic Safety Administration to ask for information about how they plan to address cyber security concerns. [EnergyCommerce]

Privacy Enhancing Technologies (PETs)

WW – Google, Silent Circle Pair Up on Next Version of Blackphone

Google and Silent Circle, the maker of a privacy-centric Blackphone have formed a partnership. Through this partnership, the next version of the Blackphone will come equipped with Google’s Android for Work software, which allows users to compartmentalize personal and professional use and also “collects huge amounts of user data to sell advertising,” the report states, asking, “So why would Silent Circle, which is intensely concerned with privacy, team up with the largest data collection company in the world?” The answer, according to Silent Circle, “comes down to marketing … Most users of Blackphone and Silent Circle’s other encrypted-communication products are in Europe. The Google deal will raise the company’s profile in the U.S.,” the report states. [The Wall Street Journal]

WW – Researchers Say They’ve Created Faster Onion Router

A group of researchers claim they have created a better, faster alternative to the Tor network. In a newly published paper, researchers from the Swiss Federal Institute of Technology and the University College of London describe an anonymizing network called HORNET (High-speed Onion Routing at the NETwork layer), saying it could be part of the next generation of Tor. The researchers state HORNET moves anonymized data at 93 gigabits per second and can be scaled to handle large quantities of users. Though the researchers said the system couldn’t fully protect against targeted attacks, widespread use could stymy mass surveillance, they claim. [Ars Technica]

WW – Snowden Describes Privacy-Focused Internet, Calls for SPUD Protocol

Former U.S. National Security Agency contractor Edward Snowden remotely spoke at an Internet Engineering Task Force (ITEF) meeting, urging attendees to design an Internet for users, not spies. “Who is the Internet for?” he asked. “Who does it serve; who is the IETF’s ultimate customer?” He said the growing use of credit cards on the web is pinpointing users’ identities. “We need to divorce identity from persona in a lasting way,” he said. “If it’s creating more metadata, this is in general a bad thing.” Snowden urged the engineers to implement the SPUD protocol, reducing the number of intermediaries through which data passes by a combination of transport protocols. [Snowden Describes How to Build an Internet Focused on Privacy]

US – Start-Up Aims to Puts Users in Control

Given what they called a lack of regulations to protect consumers against potential harms as a result of increasingly pervasive and surreptitious online tracking, college buddies Chandler Givens and Ryan Flach decided to do something about it themselves. Seeing the kinds of concerns consumers have around companies doing things that, if not unlawful, felt wrong to them, Givens saw an opportunity in their combined skillset; Givens is a privacy lawyer and Flach a software engineer. Now they’ve launched TrackOFF, software designed to put power back in consumers’ hands by letting them combat digital tracking from their own computers. [The Privacy Advisor]

WW – Baidu Launches Privacy Protection App ‘DU Privacy Vault’

New Android Security Solution Protects Apps, Photos, Videos and More…  Baidu, a lsrge Chinese language Internet search provider and developer of PC, Web and mobile products, has launched DU Privacy Vault, Baidu’s first mobile app focused exclusively on protecting people’s privacy. Free to download, DU Privacy Vault enables users to easily and safely secure all the apps, photos and videos on their phone. In the name of preserving privacy, DU Privacy Vault showcases the following features:

  • App Lock: Lock all of your apps with a single gesture-based password.  Secure your smartphone and completely protect your privacy.
  • Lock Cover: Disguise your lock screen as something else. A fake ‘App Crash’ screen cover and a ‘Fingerprint Scan’ screen cover are now included. More screen covers will be available for download soon.
  • Photo/Video Safe Vault: Hide and encrypt your photos and videos with DU Privacy Vault. Never again worry about other people peeking in on your gallery.
  • Prevent Uninstall: After you turn on the Prevent Uninstall feature,  other people won’t be able to delete DU Privacy Vault from your phone  without your authorization.
  • Lock Delay: Within the time limit you set, you won’t need to unlock your apps again when you reopen them.

DU Privacy Vault runs on Android 5.0 and up, and is available as a free download on Google Play. [Source]

EU – CyberGhost Talks Privacy

As CyberGhost, a Romania-based VPN start-up, invests in a EU pro-privacy boot camp for interested start-ups, it also has lots to say about privacy and data collection. “What we are doing here (with the boot camp) is to prove you can grow a company, sustainable, on the long term, with success and profitability, without using all this data. It’s just not necessary. It’s just a myth that you need data to run all businesses,” said CyberGhost Cofounder and CEO Rob Knapp. “We have a security industry that protects data because we store data. So why do we start storing data? The best data security is not to store it. It’s very simple.” [TechCrunch] [VPN Maker CyberGhost Aims To Grow A Privacy Hub In Eastern Europe]

EU – Hornet Gives Wings to Onion Privacy Technology

European researchers may have stumbled upon a new anonymised internet browser that is like Tor on rocket fuel. Hornet, or high-speed onion routing at the network layer to give it its full name, can move internet traffic at some 93Gbps and still offer the same level of protection as the sluggish Tor network, according to Ars Technica. The new method appears in a paper penned by a group of from the Swiss Institute of Technology in Zurich and the University College London. [Source]

RFID / IoT

WW – Power of IOT Means Great Responsibility

Experts say that while incredibly promising, the Internet of Things brings with its advent much to consider. “Just imagine smart meters, which are great for reducing energy use and shrinking bills,” said KPMG’s Mark Thompson. “You could have the energy regulator, Ofgem, involved as well as Ofcom, because the data’s going over a broadband connection. Then, because there’s data involved, the Information Commissioner’s Office is bound to have an interest.” When data crosses borders, “you could have a perfect storm of countries not always having the same security and privacy standards,” he adds. To address the privacy issues, Privitar’s John Taysom recommends “disassociation”—through which “companies and governments get the data without a risk to privacy,” the report states. [The Guardian]

US – Connected Car Remotely Hacked; Legislation Introduced

Two years ago, Wired reported how security experts hacked a Ford Escape and a Toyota Prius by directly connecting computers into the cars’ online diagnostics port. Now, those same hackers have successfully demonstrated they can remotely hack a Jeep Cherokee miles away from the vehicle. Charlie Miller and Chris Valasek plan to discuss their findings at next month’s Black Hat conference in Las Vegas, NV. Remotely, Miller and Valasek were able to stop the vehicle, turn the ignition on and off and control the radio as well as all of the vehicle’s dashboard features. [Hackers hijack Jeep, taking control of speed, brakes: Two hackers remotely took control of a Jeep Cherokee and changed its speed and other features]Meanwhile, Sens. Ed Markey (D-MA) and Richard Blumenthal (D-CT) introduced legislation today aimed at setting new security standards for connected vehicles. [Full Story] See also: [Yahoo Finance: Ford CEO on Balancing Consumer Privacy Expectation]

US – Lawmakers Look Into Data Security

A House Judiciary Committee hearing examined the deluge of new Internet-of-Things devices that are proliferating in the marketplace and whether government needs to step in with new legislation. “The time of the ‘Dick Tracey’ watch is here,” said Rep. Ted Poe (R-TX). As automobiles, transportation systems and other devices increase the amount of data they collect, Rep. Jarrold Nadler (D-NY) cautioned that “unless cities integrate strong security … (they are) vulnerable to attack.” Poe also added that it’s Congress that “needs to set the expectation of privacy” for users. Consumer Electronics Association President Gary Shapiro cautioned against stifling data collection, noting, “There’s so much happening from an innovation point of view.” [Nextgov]

US – NHTSA Head Says Driverless Cars Must Have Privacy Protections

National Highway Traffic Safety Administration Administrator Mark Rosekind said this week that the agency encourages development and deployment of connected and driverless cars, but the industry must work to build in privacy and cybersecurity protections for widespread adoption. Rosekind said the industry must not only focus on traffic safety but information security as well. “We will have to help people who can’t tell LIDAR from a coffee maker,” Rosekind said. “Whether for profit of for malicious intent we know these systems will become targets for bad actors,” adding, “We must reassure vehicle owners that their data is secure, the vehicles are secure.” On Tuesday, a new privacy bill for connected cars was introduced. [USA Today]

Security

US – Survey: Execs Consider Cyber-Threats a Top Concern

A new survey reveals that three-quarters of executives from U.S. businesses, law enforcement and other organizations, as well as security practitioners, have said they are more concerned about cyber threats this year than they were last year. Conducted by PwC, the survey questioned more than 500 individuals. “Heightened awareness and concern are well-warranted,” the report states, noting, “A record 70% of survey respondents said they detected a security incident in the past 12 months. Many incidents go undetected, however, so the real tally is probably much higher.” PwC’s David Burg said 2015 is a “watershed year for cybercrime.” [Fierce Government IT]

WW – How Security Experts and Non-Experts View Online Safety

Researchers from Google have posted results that surveyed security experts and non-experts to determine how each group prioritizes online safety measures and explore why any differences between the two exist. Password management was a key priority for both groups, but their approach differed. Security experts said they rely on password managers, while non-experts relied on strong passwords and frequent password changes. “Our findings suggested this was due to lack of education about the benefits of password managers and/or a perceived lack of trust in these programs,” the researchers wrote in a Google blog post. Another key difference involved non-experts’ reliance on antivirus software. Security experts rely instead on software updates and noted that antivirus software “might give users a false sense of security since it’s not a bulletproof solution.” [Full Story] [37 million Americans don’t use the Web. Here’s why you should care]

US – New OPM Report: Hack Not Sophisticated; CSID Responds to Criticism

A new report on the Office of Personnel Management (OPM) hacks from the Institute for Critical Infrastructure Technology points to poor governance and old technology and not sophisticated cyber-intrusions as the reason for the breaches. “The failure of (the Department of Homeland Security) or OPM systems to detect the breach does not indicate a level of sophistication on behalf of the adversary,” the report states. Meanwhile, CSID President and Cofounder Joe Ross defended the company’s work in helping the OPM notify and respond to the initial hack of 4.2 million individuals. “We took a beating early on for doing what in our mind (was) the right thing to do,” he said. A column for The Washington Post states that there are currently not enough cybersecurity experts in government agencies. [Fierce Government IT]

US – Government Asks Bidders on Hack Contract

The government plans to award a sweeping five-year contract in August to a private company to monitor the hacked security clearance data of 21.5 million people for identity theft — and ensure that the records are protected from further intrusions. The winning bidder will be asked to monitor financial and health information of the breach victims — contractors and federal employees and their families — for fraudulent activity; set up call centers to answer questions;  train government employees how to prevent other hacks and restore stolen identities. And the contractor must be on constant alert for further risks to the  hacked background investigation files, among the most sensitive data in the government, according to a 55-page solicitation the General Services Administration issued last week. GSA has asked potential bidders if they have the capacity to host such a large trove of data: “In light of these requirements, does your company have the ability to host and protect in excess of 21.5 million records?” [The Washington Post]

WW – Windows 10 Wi-Fi Sense Feature Shares Wi-Fi Passwords With Contacts

One of the new features of Microsoft’s newest operating system is that Windows 10 will automatically share an encrypted version of your Wi-Fi network password with contacts in Outlook and Skype unless users specifically opt out. The password will not be disclosed, but the sharing mechanism will allow those contacts to use your Wi-Fi network if they are in the area. The Express settings for installation enable this feature by default. Some say that the feature is not as scary as people would like to think it is. [Krebs] [v3.co.uk] [ZDNet]

WW – Hackers Could Use Cell Phones as Spycams

Stagefright, a “multimedia playback engine” unique to Google Android phones, has a vulnerability so profound that “that attackers could send a text message with a malicious video file and infect the mobile device without a recipient actually clicking to open the file,” effectively rendering it a “spycam,” reports. Google has released a patch for the flaw, but “the fix won’t help millions of users with older versions of the system that Google no longer supports,” the report continues. Meanwhile, Israeli researchers discovered how to hack into an air-gapped computer “using the GSM network, electromagnetic waves and a basic low-end mobile phone,” Wired reports. [The Christian Science Monitor]

US – CDOs a Growing Necessity

The need for a chief data officer (CDO) is growing as more organizations express concern about the increasing amount of data they must manage, according to TM Forum Transformation Research Center Managing Director Rob Rich. While “many service providers have successfully consolidated and modernized systems and simplified programs … there is lots more work to do to tap big data’s potential and to protect the organization’s (not to mention customer’s) data,” Rich writes. “Clearly, the more fragmented a company’s data, the more difficult it is to manage and protect, and the more likely it is that sensitive data could be compromised.” A CDO’s role may include data strategy, education and data governance, the report states. [FierceCIO]

US – OPM Changes Privacy Policy; Hunt for New Contractor Underway

The Office of Personnel Management (OPM) announced it has changed its privacy regulations in order to allow investigators to probe its databases for security vulnerabilities. The OPM is also in the middle of finding a contractor for notifying and providing identity-theft protection services for the 21.5 million victims of the second hack of the agency. Jedidiah Bracy reports on the latest efforts by the OPM and the White House to shore up information security and appropriately respond to the second hack, as well as the latest moves by lawmakers to assess the relevance of providing such credit-monitoring services. [Privacy Tech]

WW – Stagefright Vulnerabilities Affect Nearly All Android Devices

Nearly all Android smartphones contain remote code execution vulnerabilities that could be exploited simply by sending the device a maliciously crafted text message. The vulnerabilities lie in Stagefright, an Android component that is used in playing, recording, and processing multimedia files. Google has developed a fix for the issue, but because the wireless carriers and device manufacturers must also take action, it is unknown if and when the devices will be patched. [SANS.edu] [ArsTechnica] [DarkReading] [Forbes] [ComputerWorld] [CNET]

Smart Cards

WW – Sony Moves into the Drone Camera Business